SB2026071327 - Multiple vulnerabilities in IBM Application Modernization Accelerator
Published: July 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2026-22018)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
2) Improper privilege management (CVE-ID: CVE-2026-3621)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability occurs when an application is deployed without authentication and authorization configured. A remote user can escalate privileges.
3) Out-of-bounds write (CVE-ID: CVE-2026-41907)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to accepting external output buffers, but not rejecting out-of-range writes (small buf or large offset). A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
4) NULL pointer dereference (CVE-ID: CVE-2026-8723)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in qs.stringify when processing arrays with comma format and encodeValuesOnly enabled. A remote attacker can supply input containing null or undefined array elements to cause a denial of service.
In typical Node.js HTTP frameworks, the synchronous exception usually causes the affected request to return an error rather than terminating the worker process. The vulnerable input is reachable from JSON request bodies or from application code constructing arrays from user input.
5) Input validation error (CVE-ID: CVE-2026-40181)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect users to an external domain.
The vulnerability exists due to improper input validation in the redirect function when processing URLs with a path starting with // that is reinterpreted as a protocol-relative URL. A remote attacker can supply a crafted URL to redirect users to an external domain.
This does not affect applications using declarative mode.
6) Improper input validation (CVE-ID: CVE-2026-22016)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
7) Improper input validation (CVE-ID: CVE-2026-22021)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
8) Improper input validation (CVE-ID: CVE-2026-22013)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
9) Use of uninitialized resource (CVE-ID: CVE-2026-45736)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in websocket.close() when processing a TypedArray passed as the reason argument. A remote privileged user can pass a crafted TypedArray as the close reason to disclose sensitive information.
The issue is only exploitable through misuse that is unlikely in practice.
10) Improper input validation (CVE-ID: CVE-2026-34268)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
11) Improper input validation (CVE-ID: CVE-2026-22007)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
12) Security features bypass (CVE-ID: CVE-2026-5516)
CWE-ID: CWE-254 - Security Features
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote privileged attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote privileged attacker can gain unauthorized access to sensitive information on the system.
13) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-41988)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify data on the system.
The vulnerability exists due to uuid can make unexpected writes when external output buffers are used. A local user can gain unauthorized access to modify data on the system.
Remediation
Install update from vendor's website.