CVE-2026-3602
Received Received - Intake

SQL Injection in IBM App Connect Enterprise

Vulnerability report for CVE-2026-3602, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
ibm integration_bus_for_z_os From 10.1.0.0 (inc) to 10.1.0.7 (inc)
ibm app_connect_enterprise From 13.0.1.0 (inc) to 13.0.7.2 (inc)
ibm app_connect_enterprise From 12.0.1.0 (inc) to 12.0.12.26 (inc)
ibm integration_bus_for_zos From 10.1.0.0 (inc) to 10.1.0.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-3602 is a vulnerability in IBM App Connect Enterprise and IBM Integration Bus for z/OS that allows SQL injection attacks. Specifically, a remote attacker can exploit this vulnerability by tricking a user into unintentionally creating files they are not aware of. This is classified under CWE-73, which involves external control of file names or paths.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause unintended file creation on your system through social engineering. Although the attacker requires user interaction, the unintended files could lead to further security issues or system misuse. The vulnerability has a moderate severity with a CVSS base score of 4.7.

Detection Guidance

There are no specific detection commands or methods provided to identify this vulnerability on your network or system.

The vulnerability involves a remote attacker tricking a user into creating unintended files via SQL injection, but no direct detection techniques or commands are mentioned.

Mitigation Strategies

IBM recommends applying the provided fixes to mitigate this vulnerability.

  • For IBM App Connect Enterprise versions 13.0.8.0 and 12.0.12.27, apply APAR PH71150.
  • For IBM Integration Bus for z/OS 10.1.0.7, apply the interim fix provided by IBM.

No workarounds are currently available, so applying these fixes is the immediate recommended action.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart