Information Leak in F5 BIG-IP iControl REST by Authenticated Attackers
CVE-2026-42058

5.3MEDIUM

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42058?

An authenticated attack on the F5 BIG-IP's iControl REST interface can result in the unintended exposure of local user account names. This can pose significant security risks as attackers may leverage this information to further compromise the system. Software versions that have reached End of Technical Support (EoTS) are not part of this evaluation; users are advised to check their supported versions for possible exposure.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.2

BIG-IP 17.5.0 < 17.5.1.6

BIG-IP 17.1.0 < 17.1.3.2

References

https://my.f5.com/manage/s/article/K000160903

vendor-advisorypatch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-42058 Data

JSON