Sensitive Information Disclosure in F5 Networks iControl REST Endpoint
CVE-2026-41954

6.9MEDIUM

Key Information:

Vendor: F5
Status: Big-ip; Big-iq
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-41954?

A vulnerability has been identified in the iControl REST endpoint and TMOS Shell (tmsh) command within F5 Networks products. This issue may enable an authenticated attacker, specifically those with resource administrator role privileges, to access sensitive information. This flaw primarily affects product versions that have not reached End of Technical Support (EoTS). Users are advised to apply the necessary patches to mitigate the risks associated with this vulnerability.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.1

BIG-IP 17.5.0 < 17.5.1.4

BIG-IP 17.1.0 < 17.1.3.1

References

https://my.f5.com/manage/s/article/K32950402

vendor-advisorypatch

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-41954 Data

JSON