SQL Injection Vulnerability in BMC Control-M/MFT Affects Multiple Versions
CVE-2026-23780

Currently unrated

Key Information:

Vendor

BMC Software

Status
Control-M/MFT
Vendor
CVE Published:
10 April 2026

What is CVE-2026-23780?

A SQL injection vulnerability exists in the BMC Control-M/MFT versions 9.0.20 to 9.0.22 due to inadequate input validation in the MFT API's debug interface. This flaw allows an authenticated attacker to execute malicious SQL queries, potentially leading to arbitrary file read/write capabilities and, in severe cases, remote code execution. It is crucial for users of the affected versions to apply the necessary patches to mitigate this risk.

References

https://www.bmc.com/support/resources/issue-defect-manage...
https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestrati...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.