CVE-2026-9762
Undergoing Analysis Undergoing Analysis - In Progress

Remote Code Execution in IBM Db2 Database

Vulnerability report for CVE-2026-9762, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: IBM Corporation

Description

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to remote code execution when a JDBC URL is under user control. This flaw allows attackers to execute arbitrary code remotely due to improper control of code generation (CWE-94).

Detection Guidance

Detection involves checking for vulnerable IBM Db2 versions (11.5.0-11.5.9 or 12.1.0-12.1.4) and verifying if JDBC URLs are user-controlled. Inspect Db2 server logs for unusual JDBC connection patterns or remote code execution attempts. Use network monitoring tools to detect suspicious outbound connections from Db2 processes.

Impact Analysis

If exploited, this vulnerability could allow attackers to run malicious code on affected systems, potentially leading to data breaches, unauthorized access, or system compromise. It requires user-controlled JDBC URLs to trigger.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR (data protection) and HIPAA (health data security) requirements. Non-compliance may result in legal penalties or fines.

Mitigation Strategies

Apply the special builds with interim fixes provided by IBM for versions 11.5.9 and 12.1.4. Download and install the appropriate fixes from IBM Fix Central to remediate the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart