CVE-2026-9074

IBM · API Connect

An unauthenticated SQL injection vulnerability exists in the password reset functionality of IBM API Connect, potentially allowing unauthorized access to backend data.

Executive summary

A critical unauthenticated SQL injection vulnerability in IBM API Connect allows attackers to compromise sensitive information via the password reset function.

Vulnerability

This is an unauthenticated SQL injection (CWE-89) vulnerability located within the password reset mechanism, allowing for unauthorized interaction with the database.

Business impact

This vulnerability carries a CVSS score of 9.1, reflecting its critical nature. Because it allows for unauthenticated access, an attacker could potentially extract sensitive configuration data, user credentials, or other proprietary information from the backend database, leading to a complete compromise of the API management layer.

Remediation

Immediate Action: Upgrade IBM API Connect to a patched version as specified in the official IBM security support pages.

Proactive Monitoring: Monitor database query logs for evidence of anomalous SQL syntax or unauthorized access attempts against the password reset modules.

Compensating Controls: Implement strict ingress filtering and utilize a WAF to detect and block common SQL injection patterns targeting the API endpoint.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Immediate patching is required to address this critical SQL injection flaw. Organizations should prioritize updating their API Connect instances to ensure the integrity of their authentication and data management systems, as this vulnerability provides a direct pathway for unauthorized data exfiltration.