SB2026062430 - Multiple vulnerabilities in IBM Data Product Hub



SB2026062430 - Multiple vulnerabilities in IBM Data Product Hub

Published: June 24, 2026

Security Bulletin ID SB2026062430
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 16
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 56% Low 44%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 16 vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2026-34268)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


2) Improper input validation (CVE-ID: CVE-2026-22008)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Oracle Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


3) Improper privilege management (CVE-ID: CVE-2026-3621)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability occurs when an application is deployed without authentication and authorization configured. A remote user can escalate privileges.


4) Prototype pollution (CVE-ID: CVE-2026-29063)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.

The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.

Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().


5) Uncontrolled Recursion (CVE-ID: CVE-2026-41680)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite recursion in the block tokenizer. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


6) Out-of-bounds read (CVE-ID: CVE-2026-6918)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in Message::deserialize() and MessageBuffer::readData() when processing a crafted TCP message containing an attacker-controlled DataDescriptor._size value. A remote attacker can send a specially crafted TCP message to cause a denial of service.

The issue occurs before protocol-level validation, and no authentication, encryption, or valid JIT compilation request is required. Deployments running without TLS client authentication are affected by default.


7) Improper input validation (CVE-ID: CVE-2026-22007)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


8) Weak password requirements (CVE-ID: CVE-2025-14917)

CWE-ID: CWE-521 - Weak Password Requirements

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an attacker to perform a brute-force attack.

The vulnerability exists due to weak password requirements when the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature is enabled. As a result users can set weak passwords to access their accounts. A remote attacker can perform brute-force attack and gain unauthorized access to the application. 


9) Improper input validation (CVE-ID: CVE-2026-22018)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


10) Information disclosure (CVE-ID: CVE-2025-14915)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application with the restConnector-1.0 or restConnector-2.0 feature enabled. A remote authenticated user can gain unauthorized access to sensitive information and escalate privileges within thin the application.


11) Improper input validation (CVE-ID: CVE-2026-22013)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


12) Improper input validation (CVE-ID: CVE-2026-22021)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


13) Integer overflow (CVE-ID: CVE-2026-23865)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to integer overflow within the tt_var_load_item_variation_store() function when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. A remote attacker can trick the victim into opening a specially crafted file, trigger an integer overflow and read memory contents on the system.


14) Improper input validation (CVE-ID: CVE-2026-22016)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


15) Improper input validation (CVE-ID: CVE-2026-34282)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


16) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-1561)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when the samlWeb-2.0 feature enabled. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


Remediation

Install update from vendor's website.