SB2026050716 - Multiple vulnerabilities in IBM Platform Navigator in IBM Cloud Pak for Integration (CP4I)
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-1525)
The vulnerability allows a remote attacker to smuggle HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in undici low-level HTTP request APIs when processing headers passed as flat arrays with case-variant duplicate Content-Length names. A remote attacker can supply specially crafted header arrays to smuggle HTTP requests.
Exploitation requires an intermediary and backend to interpret duplicate Content-Length headers inconsistently.
2) Improper handling of highly compressed data (CVE-ID: CVE-2026-1526)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in PerMessageDeflate.decompress() when decompressing incoming WebSocket frames negotiated with the permessage-deflate extension. A remote attacker can send a specially crafted compressed WebSocket frame to cause a denial of service.
Memory exhaustion occurs in native or external memory and can cause the Node.js process to crash or become unresponsive.
3) CRLF injection (CVE-ID: CVE-2026-1527)
The vulnerability allows a remote attacker to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.
The vulnerability exists due to improper neutralization of CRLF sequences in the upgrade option of client.request() when processing user-controlled input. A remote attacker can supply a specially crafted upgrade value to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.
User interaction is required because an application must pass user-controlled input to the upgrade option.
4) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1528)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in input in the ByteParser when processing a WebSocket frame with a 64-bit length field. A remote attacker can send an extremely large length value to cause a denial of service.
5) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-2229)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in WebSocket client permessage-deflate handling when processing a server response containing an out-of-range server_max_window_bits value followed by a compressed frame. A remote attacker can send a crafted WebSocket handshake response and compressed frame to cause a denial of service.
The issue results in an uncaught synchronous RangeError exception that terminates the Node.js process.
6) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-2581)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in DeduplicationHandler when processing deduplicated requests with large or chunked response bodies from an attacker-controlled or untrusted upstream endpoint. A remote attacker can trigger concurrent identical requests that cause response data to accumulate in memory to cause a denial of service.
Only applications with interceptors.deduplicate() enabled are vulnerable.
Remediation
Install update from vendor's website.