SB2026051536 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051536

SB2026051536 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Published: May 15, 2026

Security Bulletin ID SB2026051536
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-27199)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the "safe_join" function allows Windows device names as filenames if when preceded by other path segments. A remote attacker can cause reading of the file to hang indefinitely.


2) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-21860)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References