CVE-2026-6938
Analyzed Analyzed - Analysis Complete
Authorization Bypass in IBM Db2 via Remote Object Storage

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: IBM Corporation

Description
IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploading to a remote object storage path with a special query.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6938
EUVD
EUVD-2026-32492
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm db2 From 12.1.0 (inc) to 12.1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

IBM Db2 versions 12.1.0 through 12.1.4 have an authorization bypass vulnerability when uploading files to a remote object storage path using a specially crafted query.

This flaw allows unauthorized users to perform sensitive operations that they should not have permission to execute.

The vulnerability affects only Linux and Unix versions of IBM Db2, and it does not impact Windows versions.

Impact Analysis

The vulnerability has a CVSS base score of 6.5, indicating medium severity.

It can lead to a high integrity impact, meaning unauthorized users could alter or manipulate data or operations.

The exploit requires low privileges and no user interaction, making it easier for attackers to leverage.

Detection Guidance

IBM has not disclosed detailed exploitation steps or specific detection commands to prevent potential misuse of this information.

Customers are encouraged to evaluate the vulnerability's impact in their environments using available resources and subscribe to security bulletins for future updates.

Mitigation Strategies

Apply the interim fixes provided by IBM, specifically the special build for Db2 version 12.1.4, which can be downloaded from IBM Fix Central.

As a workaround, use the LOAD COPY command with specific parameters instead of relying on the DB2_LOAD_COPY_NO_OVERRIDE registry variable.

Subscribe to IBM security bulletins to stay informed about future updates and patches.

Compliance Impact

The vulnerability in IBM Db2 12.1.0 through 12.1.4 allows an authorization bypass when uploading files to a remote object storage path, potentially enabling unauthorized access to sensitive operations.

Such unauthorized access could impact the integrity of data, which may have implications for compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive information and strict access controls.

However, the provided information does not explicitly detail how this vulnerability directly affects compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart