{"api_version":"1","generated_at":"2026-07-04T22:58:54+00:00","cve":"CVE-2026-12085","urls":{"html":"https://cve.report/CVE-2026-12085","api":"https://cve.report/api/cve/CVE-2026-12085.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-12085","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-12085"},"summary":{"title":"IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability","description":"IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.","state":"PUBLISHED","assigner":"ibm","published_at":"2026-06-30 20:17:28","updated_at":"2026-07-02 18:35:42"},"problem_types":["CWE-201","NVD-CWE-noinfo","CWE-201 CWE-201 Insertion of Sensitive Information Into Sent Data"],"metrics":[{"version":"3.1","source":"psirt@us.ibm.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.ibm.com/support/pages/node/7277577","name":"https://www.ibm.com/support/pages/node/7277577","refsource":"psirt@us.ibm.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-12085","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12085","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"IBM","product":"UCD - IBM UrbanCode Deploy","version":"affected 7.3.0 7.3.2.18 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"UCD - IBM DevOps Deploy","version":"affected 8.0 8.0.1.13 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"UCD - IBM DevOps Deploy","version":"affected 8.1.0 8.1.2.6 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"UCD - IBM DevOps Deploy","version":"affected 8.2.0 8.2.1.0 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"IBM strongly suggests the following:\n\n\n\nUpgrade affected versions to any of  7.3.2.19 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.0.1.14 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.1.2.7 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"12085","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"devops_deploy","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"12085","cve":"CVE-2026-12085","epss":"0.002340000","percentile":"0.141670000","score_date":"2026-07-03","updated_at":"2026-07-04 00:02:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-12085","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-01T14:01:22.988510Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-01T14:01:30.936Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.18:*:*:*:*:*:*:*"],"product":"UCD - IBM UrbanCode Deploy","vendor":"IBM","versions":[{"lessThanOrEqual":"7.3.2.18","status":"affected","version":"7.3.0","versionType":"semver"}]},{"cpes":["cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.13:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*"],"product":"UCD - IBM DevOps Deploy","vendor":"IBM","versions":[{"lessThanOrEqual":"8.0.1.13","status":"affected","version":"8.0","versionType":"semver"},{"lessThanOrEqual":"8.1.2.6","status":"affected","version":"8.1.0","versionType":"semver"},{"lessThanOrEqual":"8.2.1.0","status":"affected","version":"8.2.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.</p>"}],"value":"IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-201","description":"CWE-201 Insertion of Sensitive Information Into Sent Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T19:38:19.293Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7277577"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>IBM strongly suggests the following:</p><p>Upgrade affected versions to any of <a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&amp;product=ibm/Rational/IBM+UrbanCode+Deploy&amp;fixids=7.3.2.19-IBM-UrbanCode-Deploy&amp;downloadMethod=http\" rel=\"nofollow\">7.3.2.19</a>, <a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&amp;product=ibm/Rational/IBM+DevOps+Deploy&amp;fixids=8.0.1.14-IBM-DevOps-Deploy&amp;downloadMethod=http\" rel=\"nofollow\">8.0.1.14</a>, <a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&amp;product=ibm/Rational/IBM+DevOps+Deploy&amp;fixids=8.1.2.7-IBM-DevOps-Deploy&amp;downloadMethod=http\" rel=\"nofollow\">8.1.2.7</a>, <a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational&amp;product=ibm/Rational/IBM+DevOps+Deploy&amp;fixids=8.2.2.0-IBM-DevOps-Deploy&amp;downloadMethod=http\" rel=\"nofollow\">8.2.2.0</a> or later</p>"}],"value":"IBM strongly suggests the following:\n\n\n\nUpgrade affected versions to any of  7.3.2.19 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.0.1.14 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.1.2.7 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later"}],"title":"IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2026-12085","datePublished":"2026-06-30T19:38:19.293Z","dateReserved":"2026-06-12T13:20:09.092Z","dateUpdated":"2026-07-01T14:01:30.936Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-30 20:17:28","lastModifiedDate":"2026-07-02 18:35:42","problem_types":["CWE-201","NVD-CWE-noinfo","CWE-201 CWE-201 Insertion of Sensitive Information Into Sent Data"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-01T14:01:22.988510Z","id":"CVE-2026-12085","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:devops_deploy:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0.0","versionEndExcluding":"8.0.1.14","matchCriteriaId":"26D9E998-DB17-4A71-9452-A26614168759"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:devops_deploy:*:*:*:*:*:*:*:*","versionStartIncluding":"8.1.0.0","versionEndExcluding":"8.1.2.7","matchCriteriaId":"45A6D038-C474-4482-9F59-0152D621ADB9"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:devops_deploy:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0.0","versionEndExcluding":"8.2.1.0","matchCriteriaId":"01BE7813-5F11-468B-8DFD-58FF3D46D89A"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:urbancode_deploy:*:*:*:*:*:*:*:*","versionStartIncluding":"7.3.0.0","versionEndExcluding":"7.3.2.19","matchCriteriaId":"455A02FB-5A16-4E9D-969E-054CF62C44D6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"12085","Ordinal":"1","Title":"IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to","CVE":"CVE-2026-12085","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"12085","Ordinal":"1","NoteData":"IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.","Type":"Description","Title":"IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to"}]}}}