SB2026060828 - Multiple vulnerabilities in IBM Sterling Connect:Direct Web Services
Published: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Observable discrepancy (CVE-ID: CVE-2026-22746)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable timing discrepancies in DaoAuthenticationProvider when processing authentication requests for disabled, expired, or locked users. A remote attacker can send authentication attempts for different usernames to disclose sensitive information.
The issue is exposed when applications rely on the UserDetails isEnabled, isAccountNonExpired, or isAccountNonLocked attributes to enable, expire, or lock users.
2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-22751)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to establish multiple authenticated sessions with a one-time token.
The vulnerability exists due to a time-of-check time-of-use race condition in JdbcOneTimeTokenService when handling concurrent requests to the authentication endpoint. A remote attacker can send concurrent authentication requests using a valid one-time token to establish multiple authenticated sessions with a one-time token.
Only applications that explicitly configure one-time token login with JdbcOneTimeTokenService are vulnerable. The default InMemoryOneTimeTokenService is not affected.
Remediation
Install update from vendor's website.