Main Vulnerability Database Vulnerabilities #VU131392

Incorrect permission assignment for critical resource in BIG-IP - CVE-2026-41217

Published: May 14, 2026

Vulnerability identifier: #VU131392

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-41217

CWE-ID: CWE-732

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: F5 Networks

Affected software:
BIG-IP

Detailed vulnerability description

The vulnerability allows a local privileged user to execute arbitrary system commands with higher privileges.

The vulnerability exists due to incorrect permission assignment for critical resource in the tmsh command when handling local access to the affected command. A local privileged user can invoke the vulnerable tmsh command to execute arbitrary system commands with higher privileges.

In Appliance mode deployments, exploitation can cross a security boundary. The issue is limited to the control plane, with no data plane exposure.

How to mitigate CVE-2026-41217

Install security update from vendor's website.

Sources

https://my.f5.com/manage/s/article/K000161107

Incorrect permission assignment for critical resource in BIG-IP - CVE-2026-41217

Detailed vulnerability description

How to mitigate CVE-2026-41217

Sources

Please verify you're human