COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-9074

CVE-2026-9074

Severity
critical
Source
NVD · cve
Published
2026-07-08
CVSS
9.1
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-9074
shame 45/100 unpatchedsql-injectionpassword-reset

IBM API Connect versions 10.0.8.0–10.0.8.9 and 12.1.0.0–12.1.0.3 contain an unauthenticated SQL injection vulnerability in the password reset functionality.

This critical (CVSS 9.1) SQL injection flaw allows attackers to bypass authentication and potentially access sensitive data without credentials, posing a severe risk to FedRAMP and NIST 800-171 systems. DIB organizations must immediately patch affected IBM API Connect instances to prevent unauthorized access and potential data exfiltration.

Shame score — A critical unauthenticated SQL injection in a password reset function is a high-severity flaw that could lead to credential bypass, though it is not yet actively exploited in the wild.

Players implicated

IBM · vendorapi connect · product

Description

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

Affected FedRAMP products 5 in the catalog

ProductProviderStatusMatch
IBM Cloud for Government IBM Authorized vendor-exact · 0.90
IBM Federal HR Cloud IBM Authorized vendor-exact · 0.90
IBM Maximo and TRIRIGA on Cloud for U.S. Federal IBM Authorized vendor-exact · 0.90
MaaS360 Enterprise Mobility Management IBM Authorized vendor-exact · 0.90
SmartCloud for Government IBM Authorized vendor-exact · 0.90