Description
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Published: 2026-05-26
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Jazz Foundation component of IBM Engineering Lifecycle Management permits end‑users with administrative privileges to execute arbitrary code on the server because a method is exposed without adequate access checks. The vulnerability arises when the application processes requests that allow direct invocation of this method, enabling an attacker to run arbitrary code with the elevated privileges of the service account.

Affected Systems

IBM Engineering Lifecycle Management – Jazz Foundation is affected for the following product releases: version 7.0.3 through Interim Fix 021, version 7.1.0 through Interim Fix 009, and version 7.2.0 through Interim Fix 001. Users of these releases should verify the presence or absence of the specified interim fixes and plan to apply the recommended patches accordingly.

Risk and Exploitability

The CVSS score of 7.2 categorizes this issue as high severity. The EPSS score is not available, so no assessment of exploitation likelihood can be made from that metric, and it is not listed in the CISA KEV catalog. The vulnerability requires that an attacker already possess administrative privileges, indicating an internal threat or post‑authentication scenario. Once these conditions are met, remote code execution can be achieved, potentially compromising the entire application environment.

Generated by OpenCVE AI on May 26, 2026 at 20:25 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below: Affected Product(s)Version(s)Remediation/Fix/Instructions IBM Engineering Lifecycle Management - Jazz Foundation 7.0.3Download and install  iFix022 https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Engineering Lifecycle Management - Jazz Foundation 7.1.0Download and install  iFix010 https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Engineering Lifecycle Management - Jazz Foundation 7.2.0Download and install  iFix002 https://www.ibm.com/support/fixcentral/swg/downloadFixes

OpenCVE Recommended Actions

  • Download and install iFix022 for IBM Engineering Lifecycle Management – Jazz Foundation 7.0.3 from IBM Fix Central
  • Download and install iFix010 for IBM Engineering Lifecycle Management – Jazz Foundation 7.1.0 from IBM Fix Central
  • Download and install iFix002 for IBM Engineering Lifecycle Management – Jazz Foundation 7.2.0 from IBM Fix Central

Generated by OpenCVE AI on May 26, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted. IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Title IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth Remote Code Execution
First Time appeared Ibm
Ibm engineering Lifecycle Management
Weaknesses CWE-749
CPEs cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.2:ifix1:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix021:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix009:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm engineering Lifecycle Management
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Engineering Lifecycle Management
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T20:08:52.409Z

Reserved: 2026-03-12T14:25:02.970Z

Link: CVE-2026-4051

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-26T19:16:28.990

Modified: 2026-05-26T21:16:44.300

Link: CVE-2026-4051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:45:06Z

Weaknesses