Vulnerability-Lookup

GHSA-P4QJ-FGM6-87W7

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33

Details

IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-3676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:16:47Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.",
  "id": "GHSA-p4qj-fgm6-87w7",
  "modified": "2026-05-27T15:33:12Z",
  "published": "2026-05-27T15:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3676"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7273649"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-3676 (GCVE-0-2026-3676)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:48 – Updated: 2026-05-27 14:38

Title

There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Summary

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1284 - Improper Validation of Specified Quantity in Input

Assigner

ibm

References

1 reference

URL	Tags
https://www.ibm.com/support/pages/node/7273649	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
IBM	Cloud APM, Base Private	Affected: 8.1.4 , ≤ ) Interim Fix 021 (semver) cpe:2.3:a:ibm:cloud_apm_base_private:8.1.4:::::::*
IBM	Cloud APM, Advanced Private	Affected: 8.1.4 cpe:2.3:a:ibm:cloud_apm_advanced_private:8.1.4:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3676",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T14:34:24.394252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T14:38:08.383Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:cloud_apm_base_private:8.1.4:*:*:*:*:*:*:*"
          ],
          "product": "Cloud APM, Base Private",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": ") Interim Fix 021",
              "status": "affected",
              "version": "8.1.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:cloud_apm_advanced_private:8.1.4:*:*:*:*:*:*:*"
          ],
          "product": "Cloud APM, Advanced Private",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.\u003c/p\u003e"
            }
          ],
          "value": "IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:48:42.947Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7273649"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:\u003c/p\u003e\u003cp\u003eSecurity Bulletin: \u003ca href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-specially-crafted-query-when-stmtheap-set-automatic-cve-2025-36122\" rel=\"nofollow\"\u003eSecurity Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service with a specially crafted query when stmtheap is set to automatic (CVE-2025-36122)\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSecurity Bulletin: \u003ca href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-when-fetching-certain-tables-under-specific-configurations-cve-2025-14688\" rel=\"nofollow\"\u003eSecurity Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service when fetching from certain tables under specific configurations (CVE-2025-14688)\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSecurity Bulletin:\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-affected-vulnerability-netty-codec-http-41127-cve-2025-67735\" rel=\"nofollow\"\u003eSecurity Bulletin: IBM\u00ae Db2\u00ae is affected by a vulnerability in netty-codec-http-4.1.127 (CVE-2025-67735)\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSecurity Bulletin: \u003ca href=\"https://www.ibm.com/support/pages/node/7257695\" rel=\"nofollow\"\u003ehttps://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-trap-or-return-sqlcode-901-when-compiling-specially-crafted-query-defined-index-cve-2026-1352\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSecurity Bulletin: \u003ca href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-specially-crafted-query-involving-multiple-subqueries-cve-2026-1577\" rel=\"nofollow\"\u003eSecurity Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service with a specially crafted query involving multiple subqueries (CVE-2026-1577)\u003c/a\u003e\u003c/p\u003e\u003cp\u003eTo use your updated DB2 V11.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link:\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management\u0026amp;fixids=8.1.4.0-IBM-APM-SERVER-IF0019\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=IBM%20Performance%20Management%20family\" rel=\"nofollow\"\u003ehttps://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management\u0026amp;fixids=8.1.4.0-IBM-APM-SERVER-IF0019\u0026amp;source=SAR\u0026amp;function=fixId\u0026amp;parent=IBM%20Performance%20Management%20family\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:\n\n\n\nSecurity Bulletin:  https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management\u0026fixids=8.1.4.0-IBM-APM-SERVER-IF0019\u0026source=SAR\u0026function=fixId\u0026parent=IBM%20Performance%20Management%20family"
        }
      ],
      "title": "There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2026-3676",
    "datePublished": "2026-05-27T12:48:42.947Z",
    "dateReserved": "2026-03-06T21:17:59.734Z",
    "dateUpdated": "2026-05-27T14:38:08.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-P4QJ-FGM6-87W7

CVE-2026-3676 (GCVE-0-2026-3676)

Tags

Sightings

Nomenclature