Unauthenticated SQL Injection Vulnerability in IBM API Connect
CVE-2026-9074

9.1CRITICAL

Key Information:

Vendor

IBM

Vendor
CVE Published:
8 July 2026

What is CVE-2026-9074?

IBM API Connect versions 10.0.8.0 to 10.0.8.9 and 12.1.0.0 to 12.1.0.3 contain an unauthenticated SQL injection vulnerability in the password reset feature. This flaw allows attackers to manipulate SQL queries, potentially gaining unauthorized access to sensitive data or executing malicious commands within the application's database. Users are advised to apply available patches and implement best security practices to mitigate risks associated with this vulnerability.

Affected Version(s)

API Connect 10.0.8.0 < 10.0.8.9

API Connect 12.0

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.