SQL Injection Vulnerability in BMC Control-M/MFT Affects Multiple Versions
CVE-2026-23780

8.8HIGH

Key Information:

Vendor: BMC Software
Status: Control-M/MFT
Vendor: CVE Published:; 10 April 2026

🔔 Create BMC Software Vulnerability Alert

What is CVE-2026-23780?

A SQL injection vulnerability exists in the BMC Control-M/MFT versions 9.0.20 to 9.0.22 due to inadequate input validation in the MFT API's debug interface. This flaw allows an authenticated attacker to execute malicious SQL queries, potentially leading to arbitrary file read/write capabilities and, in severe cases, remote code execution. It is crucial for users of the affected versions to apply the necessary patches to mitigate this risk.

References

https://www.bmc.com/support/resources/issue-defect-manage...

https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestrati...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-23780 Data

JSON