SB2026062913 - Multiple vulnerabilities in IBM InfoSphere Information Server



SB2026062913 - Multiple vulnerabilities in IBM InfoSphere Information Server

Published: June 29, 2026

Security Bulletin ID SB2026062913
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Prototype pollution (CVE-ID: CVE-2026-29063)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.

The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.

Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().


2) Use of hard-coded cryptographic key (CVE-ID: CVE-2025-14923)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings. A local user can gain unauthorized access to sensitive information on the system.


3) Improper privilege management (CVE-ID: CVE-2026-3621)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability occurs when an application is deployed without authentication and authorization configured. A remote user can escalate privileges.


Remediation

Install update from vendor's website.