Privilege Escalation Vulnerability in F5 BIG-IP by F5 Networks
CVE-2026-40631

8.5HIGH

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-40631?

A security vulnerability allows an authenticated attacker with Resource Administrator or Administrator roles to manipulate configuration objects via the SOAP interface. This could potentially lead to unauthorized access and changes to the F5 BIG-IP system settings, compromising the security and integrity of the affected environments. Users are advised to apply the available patches and review their configurations.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.2

BIG-IP 17.5.0 < 17.5.1.6

BIG-IP 17.1.0 < 17.1.3.2

References

https://my.f5.com/manage/s/article/K000160979

vendor-advisorypatch

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

F5 acknowledges Adam Logue for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-40631 Data

JSON