SB2026061737 - Multiple vulnerabilities in IBM Operational Decision Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026061737

SB2026061737 - Multiple vulnerabilities in IBM Operational Decision Manager

Published: June 17, 2026

Security Bulletin ID SB2026061737
CSH Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Use of hard-coded credentials (CVE-ID: CVE-2026-44825)

CWE-ID: CWE-798 - Use of Hard-coded Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to gain full administrative access to the cluster.

The vulnerability exists due to hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) when bootstrapping BasicAuth. A remote attacker can authenticate with publicly known default credentials to gain full administrative access to the cluster.

Only clusters where BasicAuth was bootstrapped using the tool are affected.


2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-2332)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in the chunked transfer encoding extension parser when parsing quoted strings in HTTP/1.1 chunked transfer encoding extension values. A remote attacker can send a specially crafted chunked HTTP request to inject arbitrary HTTP requests.

The issue occurs because CRLF sequences inside quoted strings are treated as chunk header terminators instead of parsing errors.


3) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-5795)

CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to sensitive information in resource not removed before reuse in JaspiAuthenticator.java when handling certain error or incomplete authentication flows. A remote attacker can trigger a request sequence that leaves residual authentication metadata in ThreadLocal storage to escalate privileges.

A subsequent unprivileged request processed by the same worker thread may inherit residual security roles if a mandatory CallerPrincipalCallback is missing or an exception occurs after a GroupPrincipalCallback has been persisted.


4) Improper authorization (CVE-ID: CVE-2026-22022)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improper input validation in the Rule Based Authorization Plugin. A remote authenticated user can bypass certain "predefined permission" rules in the RuleBasedAuthorizationPlugin under specific configurations and gain unauthorized access to the application. 


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-22444)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass implemented security restriction.

The vulnerability exists due to insufficient input validation on certain API parameters. A remote authenticated user can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's  "allowPaths" security setting. These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. 


6) Input validation error (CVE-ID: CVE-2025-11143)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a differential parsing of URIs between different components of the application. A remote attacker can use such behavior to bypass implemented security restrictions. 


Remediation

Install update from vendor's website.

References