SB2026062508 - Multiple vulnerabilities in IBM Cloud Pak System



SB2026062508 - Multiple vulnerabilities in IBM Cloud Pak System

Published: June 25, 2026

Security Bulletin ID SB2026062508
CSH Severity
High
Patch available
YES
Number of vulnerabilities 16
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 6% Medium 88% Low 6%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 16 vulnerabilities.


1) CRLF injection (CVE-ID: CVE-2026-42037)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary multipart part headers.

The vulnerability exists due to improper neutralization of CRLF sequences in FormDataPart constructor in lib/helpers/formDataToStream.js when processing Blob/File-like object MIME types in multipart form-data generation. A remote attacker can supply a specially crafted blob.type value to inject arbitrary multipart part headers.

This issue is reachable through the public axios FormData posting API in Node.js environments that accept attacker-controlled file metadata and relay it downstream.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42036)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the HTTP adapter streamed response handling when processing responses with responseType: 'stream' and enforcing maxContentLength. A remote attacker can send a specially crafted oversized response to cause a denial of service.

The issue affects Node.js applications that rely on maxContentLength as a safety boundary while using streamed Axios responses.


3) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42042)

CWE-ID: CWE-183 - Permissive List of Allowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information and bypass CSRF protections.

The vulnerability exists due to permissive list of allowed inputs in lib/helpers/resolveConfig.js when processing the withXSRFToken config property during browser requests. A remote attacker can pollute Object.prototype.withXSRFToken with a truthy non-boolean value or rely on a misconfigured truthy non-boolean value to disclose sensitive information and bypass CSRF protections.

User interaction is required, and the issue affects browser environments where the XSRF logic runs only when hasStandardBrowserEnv is true.


4) Prototype pollution (CVE-ID: CVE-2026-42041)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass application-level authentication checks and suppress HTTP error handling.

The vulnerability exists due to improperly controlled modification of object prototype attributes ('prototype pollution') in lib/core/mergeConfig.js and lib/core/settle.js when merging request configuration after Object.prototype has been polluted with a crafted validateStatus property. A remote attacker can pollute Object.prototype.validateStatus with a function that always returns true to bypass application-level authentication checks and suppress HTTP error handling.

Exploitation requires chaining with an existing prototype pollution condition elsewhere in the application stack.


5) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42040)

CWE-ID: CWE-626 - Null Byte Interaction Error (Poison Null Byte)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to inject raw null bytes into serialized URL query parameters.

The vulnerability exists due to null byte interaction error in lib/helpers/AxiosURLSearchParams.js encode() function when serializing parameters through AxiosURLSearchParams.toString() without an encoder or through custom paramsSerializer delegation. A remote attacker can supply crafted input containing null bytes to inject raw null bytes into serialized URL query parameters.

The standard axios request flow using buildURL is not affected, and exploitation is limited to direct AxiosURLSearchParams usage or custom serializer paths that delegate to the internal encoder.


6) Uncontrolled Recursion (CVE-ID: CVE-2026-42039)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in toFormData in lib/helpers/toFormData.js when processing deeply nested request data or params objects. A remote attacker can send a deeply nested object to cause a denial of service.

The issue can be reached in server-side code that forwards client-controlled objects into axios request data or params, and may terminate the running request handler or process with a RangeError.


7) Improper access control (CVE-ID: CVE-2026-42038)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in shouldBypassProxy() when processing URLs against no_proxy rules. A remote attacker can supply a URL using an IP alias instead of the hostname to disclose sensitive information.

In server-side environments, requests intended to bypass proxies can instead be routed through an attacker-controlled proxy. This can affect access to internal or cloud metadata services.


8) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-25639)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling within proto Key in mergeConfig. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


9) HTTP response splitting (CVE-ID: CVE-2026-42035)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.

Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.


10) Prototype pollution (CVE-ID: CVE-2026-42044)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to tamper with JSON API responses.

The vulnerability exists due to prototype pollution in parseReviver in lib/defaults/index.js when parsing JSON responses. A remote attacker can pollute Object.prototype.parseReviver via another vulnerable library in the dependency tree to tamper with JSON API responses.

Exploitation requires a separate prototype pollution source in the application's dependency tree.


11) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42034)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the HTTP adapter native http/https transport path when sending streamed request bodies with maxRedirects set to 0. A remote attacker can send an oversized streamed upload to cause a denial of service.

The issue affects only stream request bodies; buffered request bodies and requests using default or nonzero redirect handling follow different enforcement paths.


12) Prototype pollution (CVE-ID: CVE-2026-42033)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to tamper with JSON responses and disclose sensitive information.

The vulnerability exists due to prototype pollution in parseReviver handling in the transformResponse functionality when processing JSON responses in a process where Object.prototype has been polluted by a co-dependency. A remote attacker can pollute Object.prototype.parseReviver to tamper with JSON responses and disclose sensitive information.

This issue affects the parseReviver gadget and requires a separate source of prototype pollution in the same process.


13) HTTP response splitting (CVE-ID: CVE-2026-40175)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correclty process CRLF character sequences. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


14) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.

The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.

Applications that rely on NO_PROXY entries for loopback or internal services are affected.


15) Prototype pollution (CVE-ID: CVE-2026-42264)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject credentials and hijack requests.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the HTTP adapter when reading configuration properties via direct property access from polluted prototypes. A remote attacker can pollute Object.prototype through another dependency in the same process to inject credentials and hijack requests.

Exploitation requires prototype pollution by another dependency in the same process, and requests using relative URLs can be redirected to an attacker-controlled server.


16) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42043)

CWE-ID: CWE-183 - Permissive List of Allowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass proxy restrictions and disclose sensitive information.

The vulnerability exists due to permissive list of allowed inputs in lib/helpers/shouldBypassProxy.js when processing Axios requests to loopback addresses in the 127.0.0.0/8 range. A remote attacker can influence the target URL to bypass proxy restrictions and disclose sensitive information.

Exploitation requires the application to use proxy environment variables and rely on NO_PROXY rules to protect loopback services.


Remediation

Install update from vendor's website.