CVE-2026-7876
Modified Modified - Updated After Analysis
IBM Aspera HSTS for CP4I Path Traversal Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-06-11

Assigner: IBM Corporation

Description
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19Β is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-11
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7876
EUVD
EUVD-2026-32506
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm aspera_high-speed_transfer_server_for_cloud_pak_for_integration From 1.5.1 (inc) to 1.5.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-7876 is an authentication bypass vulnerability that allows unauthorized access to files on the IBM Aspera High-Speed Transfer Server. Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Because the vulnerability permits bypassing authentication and accessing files without proper permission, it undermines the confidentiality and integrity requirements mandated by these standards.

IBM has released a fixed version (1.5.20) to address this issue, and users are advised to update to maintain compliance and reduce risk.

Executive Summary

CVE-2026-7876 is an authentication bypass vulnerability in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19.

This flaw allows a transfer client to bypass authentication and access files in the server's local storage that they should not have permission to view, provided certain restriction settings are not in place.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive files stored on the server, potentially exposing confidential or private data.

Because it allows bypassing authentication, attackers or unauthorized users could retrieve or manipulate data without proper permissions.

The vulnerability has a high severity level with a CVSS base score of 9.1, indicating significant risk to affected systems.

There are no current workarounds or mitigations, so updating to version 1.5.20 or later is necessary to protect against this issue.

Mitigation Strategies

This vulnerability can be mitigated by updating IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) to version 1.5.20 or later.

No workarounds or other mitigations are currently available, so applying the update is the only recommended immediate step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart