Description
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Published: 2026-05-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 can enable an attacker with administrative privileges to execute arbitrary code on the server due to an exposed method that is not properly restricted. The vulnerability occurs when the application processes requests that invoke this method, allowing the attacker to run code with the elevated privileges of the service account.

Affected Systems

IBM Engineering Lifecycle Management – Jazz Foundation is affected for the following product releases: version 7.0.3 through iFix022, version 7.1.0 through iFix010, and version 7.2.0 through iFix002. Users of these releases should verify the presence or absence of the specified interim fixes and plan to apply the recommended patches accordingly.

Risk and Exploitability

The CVSS score of 7.2 categorizes this issue as high severity. The EPSS score is not available, so no assessment of exploitation likelihood can be made from that metric, and it is not listed in the CISA KEV catalog. The vulnerability requires that an attacker already possess administrative privileges, indicating an internal threat or post-authentication scenario. Once these conditions are met, remote code execution can be achieved, potentially compromising the entire application environment.

Generated by OpenCVE AI on May 26, 2026 at 21:53 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below: Affected Product(s)Version(s)Remediation/Fix/Instructions IBM Engineering Lifecycle Management - Jazz Foundation 7.0.3Download and install  iFix022 https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Engineering Lifecycle Management - Jazz Foundation 7.1.0Download and install  iFix010 https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Engineering Lifecycle Management - Jazz Foundation 7.2.0Download and install  iFix002 https://www.ibm.com/support/fixcentral/swg/downloadFixes

OpenCVE Recommended Actions

  • Download and install iFix022 for IBM Engineering Lifecycle Management – Jazz Foundation 7.0.3 from IBM Fix Central
  • Download and install iFix010 for IBM Engineering Lifecycle Management – Jazz Foundation 7.1.0 from IBM Fix Central
  • Download and install iFix002 for IBM Engineering Lifecycle Management – Jazz Foundation 7.2.0 from IBM Fix Central

Generated by OpenCVE AI on May 26, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:-:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix002:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix003:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix004:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix005:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix006:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix007:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix008:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix009:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix010:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix011:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix012:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix013:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix014:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix015:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix016:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix017:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix018:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix019:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix020:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix001:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix002:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix003:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix004:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix005:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix006:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix007:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix008:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:-:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:ifix001:*:*:*:*:*:*

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted. IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Title IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth Remote Code Execution
First Time appeared Ibm
Ibm engineering Lifecycle Management
Weaknesses CWE-749
CPEs cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.2:ifix1:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix021:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix009:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm engineering Lifecycle Management
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Engineering Lifecycle Management
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-28T03:55:37.288Z

Reserved: 2026-03-12T14:25:02.970Z

Link: CVE-2026-4051

cve-icon Vulnrichment

Updated: 2026-05-27T10:43:42.676Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T19:16:28.990

Modified: 2026-06-17T10:55:54.383

Link: CVE-2026-4051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T22:00:15Z

Weaknesses
  • CWE-749

    Exposed Dangerous Method or Function