Description
When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A configuration flaw in F5 BIG‑IP appliances allows IP‑based access restrictions for the httpd service to be bypassed for certain endpoints. An attacker can establish connections from IP addresses that should be blocked, potentially accessing internal services and obtaining sensitive configuration or operational information. The weakness is a classic access‑control issue, identified as CWE‑420.

Affected Systems

F5 BIG‑IP appliances are affected. No specific version range was documented, but all supported releases are potentially vulnerable until a vendor‑supplied update is released.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. Likely attackers would need network reach to the affected BIG‑IP device and could exploit the exposure by sending requests that bypass the intended IP restriction. The attack could be performed from an external or internal source depending on network topology. As no public exploit code is documented, risk assessment focuses on configuration error mitigation rather than active exploitation.

Generated by OpenCVE AI on May 13, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the F5 BIG‑IP appliance to a version that provides the fix for the IP‑based access restriction issue when a vendor update becomes available.
  • Ensure that all httpd endpoints have explicit IP access‑control rules and that no exemptions exist; review the httpd configuration files or management interface to close any gaps.
  • Configure the BIG‑IP device to log and alert on connections originating from IP addresses that are supposed to be blocked, and investigate any anomalies promptly.

Generated by OpenCVE AI on May 13, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP httpd access control vulnerability
Weaknesses CWE-420
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:17:55.858Z

Reserved: 2026-04-30T23:02:33.887Z

Link: CVE-2026-40435

cve-icon Vulnrichment

Updated: 2026-05-13T16:17:50.793Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:42.697

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses