CVE-2026-9074
IBM · API Connect
An unauthenticated SQL injection vulnerability exists in the password reset functionality of IBM API Connect, potentially allowing unauthorized access to backend data.
Executive summary
A critical unauthenticated SQL injection vulnerability in IBM API Connect allows attackers to compromise sensitive information via the password reset function.
Vulnerability
This is an unauthenticated SQL injection (CWE-89) vulnerability located within the password reset mechanism, allowing for unauthorized interaction with the database.
Business impact
This vulnerability carries a CVSS score of 9.1, reflecting its critical nature. Because it allows for unauthenticated access, an attacker could potentially extract sensitive configuration data, user credentials, or other proprietary information from the backend database, leading to a complete compromise of the API management layer.
Remediation
Immediate Action: Upgrade IBM API Connect to a patched version as specified in the official IBM security support pages.
Proactive Monitoring: Monitor database query logs for evidence of anomalous SQL syntax or unauthorized access attempts against the password reset modules.
Compensating Controls: Implement strict ingress filtering and utilize a WAF to detect and block common SQL injection patterns targeting the API endpoint.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Immediate patching is required to address this critical SQL injection flaw. Organizations should prioritize updating their API Connect instances to ensure the integrity of their authentication and data management systems, as this vulnerability provides a direct pathway for unauthorized data exfiltration.