Incorrect Permission Assignment in BIG-IP and BIG-IQ Products by F5 Networks
CVE-2026-42937

6.8MEDIUM

Key Information:

Vendor: F5
Status: Big-ip; Big-iq
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42937?

There are multiple incorrect permission assignment vulnerabilities present in the BIG-IP and BIG-IQ TMOS Shell (tmsh) related to ARP and NDP commands, as well as in the BIG-IP iControl REST interface. These flaws could permit an authenticated attacker to access and view sensitive adjacent network information, potentially leading to further exploitation of the network security environment. Regular updates and security audits are recommended to mitigate these risks.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.2

BIG-IP 17.5.0 < 17.5.1.6

BIG-IP 17.1.0 < 17.1.3.2

References

https://my.f5.com/manage/s/article/K000161018

vendor-advisorypatch

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-42937 Data

JSON