Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Aspera HSTS for CP4I by IBM
CVE-2026-7876 (GCVE-0-2026-7876)
Vulnerability from nvd – Published: 2026-05-27 13:56 – Updated: 2026-06-11 14:05
VLAI
EPSS
VEX
Title
Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration
Summary
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7274127 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Aspera HSTS for CP4I |
Affected:
1.5.1 , ≤ 1.5.19
(semver)
cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:21:36.215142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:21:59.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Aspera HSTS for CP4I",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.5.19",
"status": "affected",
"version": "1.5.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The vulnerabilities were reported to IBM by Yannik Marchand."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u0026nbsp;is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server\u0027s local storage that they should not have access to, when specific restriction settings are not in place.\u003c/p\u003e"
}
],
"value": "IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u00a0is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server\u0027s local storage that they should not have access to, when specific restriction settings are not in place."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:05:33.251Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7274127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVRMF\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/First Fix\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)\u003c/td\u003e\u003ctd\u003e1.5.20\u003c/td\u003e\u003ctd\u003e-\u0026nbsp;Access your charts to get the latest version\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e"
}
],
"value": "Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)1.5.20-\u00a0Access your charts to get the latest version"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-7876",
"datePublished": "2026-05-27T13:56:16.166Z",
"dateReserved": "2026-05-05T16:12:39.223Z",
"dateUpdated": "2026-06-11T14:05:33.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7876 (GCVE-0-2026-7876)
Vulnerability from cvelistv5 – Published: 2026-05-27 13:56 – Updated: 2026-06-11 14:05
VLAI
EPSS
VEX
Title
Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration
Summary
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7274127 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Aspera HSTS for CP4I |
Affected:
1.5.1 , ≤ 1.5.19
(semver)
cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:21:36.215142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:21:59.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Aspera HSTS for CP4I",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.5.19",
"status": "affected",
"version": "1.5.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The vulnerabilities were reported to IBM by Yannik Marchand."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u0026nbsp;is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server\u0027s local storage that they should not have access to, when specific restriction settings are not in place.\u003c/p\u003e"
}
],
"value": "IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u00a0is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server\u0027s local storage that they should not have access to, when specific restriction settings are not in place."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:05:33.251Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7274127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVRMF\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/First Fix\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)\u003c/td\u003e\u003ctd\u003e1.5.20\u003c/td\u003e\u003ctd\u003e-\u0026nbsp;Access your charts to get the latest version\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e"
}
],
"value": "Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)1.5.20-\u00a0Access your charts to get the latest version"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-7876",
"datePublished": "2026-05-27T13:56:16.166Z",
"dateReserved": "2026-05-05T16:12:39.223Z",
"dateUpdated": "2026-06-11T14:05:33.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}