Description
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.
Published: 2026-05-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Aspera High‑Speed Transfer Server for Cloud Pak for Integration versions 1.5.1 through 1.5.19 contain an authentication bypass flaw that allows a client to read files stored on the server’s local disk when certain restriction settings are not enabled. The CVE description does not specify that the vulnerability allows modification or deletion of files; such capabilities are not asserted.

Affected Systems

IBM Aspera High‑Speed Transfer Server for Cloud Pak for Integration 1.5.1 to 1.5.19 are affected. Versions 1.5.20 and later are not impacted, as the patch removes the bypass logic.

Risk and Exploitability

The CVSS score of 9.1 reflects a severe impact, while the EPSS score of <1% indicates a low but not zero probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Attackers need network reach to the vulnerable endpoints and can send a crafted request that satisfies the authentication checks without valid credentials, thereby gaining read access to the server’s local files. The description infers that exploitation would proceed along these lines; the exact attack steps are not fully detailed in the advisory, so the assumption about the crafted request is inferred.

Generated by OpenCVE AI on June 11, 2026 at 22:28 UTC.

Remediation

Vendor Solution

Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)1.5.20- Access your charts to get the latest version

OpenCVE Recommended Actions

  • Upgrade to IBM Aspera High‑Speed Transfer Server for Cloud Pak for Integration version 1.5.20 or later following IBM’s release notes.
  • Before applying the patch, limit inbound traffic to the Aspera service by configuring firewall rules to allow only trusted internal hosts.
  • Monitor authentication and access logs for unusual activity or repeated unauthorized access attempts to detect potential exploitation.

Generated by OpenCVE AI on June 11, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.

Fri, 29 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aspera High-speed Transfer Server For Cloud Pak For Integration
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ibm:aspera_high-speed_transfer_server_for_cloud_pak_for_integration:*:*:*:*:*:*:*:*
Vendors & Products Ibm aspera High-speed Transfer Server For Cloud Pak For Integration

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19
Title Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration
First Time appeared Ibm
Ibm aspera Hsts For Cp4i
Weaknesses CWE-287
CPEs cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Hsts For Cp4i
References

Subscriptions

Ibm Aspera High-speed Transfer Server For Cloud Pak For Integration Aspera Hsts For Cp4i
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-11T14:05:33.251Z

Reserved: 2026-05-05T16:12:39.223Z

Link: CVE-2026-7876

cve-icon Vulnrichment

Updated: 2026-05-28T14:21:55.302Z

cve-icon NVD

Status : Modified

Published: 2026-05-27T14:17:35.727

Modified: 2026-06-11T14:16:32.763

Link: CVE-2026-7876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses