Exposures › CVE-2026-9074
IBM API Connect versions 10.0.8.0–10.0.8.9 and 12.1.0.0–12.1.0.3 contain an unauthenticated SQL injection vulnerability in the password reset functionality.
This critical (CVSS 9.1) SQL injection flaw allows attackers to bypass authentication and potentially access sensitive data without credentials, posing a severe risk to FedRAMP and NIST 800-171 systems. DIB organizations must immediately patch affected IBM API Connect instances to prevent unauthorized access and potential data exfiltration.
Shame score — A critical unauthenticated SQL injection in a password reset function is a high-severity flaw that could lead to credential bypass, though it is not yet actively exploited in the wild.
IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.
| Product | Provider | Status | Match |
|---|---|---|---|
| IBM Cloud for Government | IBM | Authorized | vendor-exact · 0.90 |
| IBM Federal HR Cloud | IBM | Authorized | vendor-exact · 0.90 |
| IBM Maximo and TRIRIGA on Cloud for U.S. Federal | IBM | Authorized | vendor-exact · 0.90 |
| MaaS360 Enterprise Mobility Management | IBM | Authorized | vendor-exact · 0.90 |
| SmartCloud for Government | IBM | Authorized | vendor-exact · 0.90 |