{"api_version":"1","generated_at":"2026-07-03T20:12:02+00:00","cve":"CVE-2026-3602","urls":{"html":"https://cve.report/CVE-2026-3602","api":"https://cve.report/api/cve/CVE-2026-3602.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3602","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3602"},"summary":{"title":"IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection","description":"IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.","state":"PUBLISHED","assigner":"ibm","published_at":"2026-06-30 20:17:29","updated_at":"2026-07-02 18:21:11"},"problem_types":["CWE-73","CWE-89","CWE-73 CWE-73 External Control of File Name or Path"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"psirt@us.ibm.com","type":"Secondary","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://www.ibm.com/support/pages/node/7278350","name":"https://www.ibm.com/support/pages/node/7278350","refsource":"psirt@us.ibm.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3602","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3602","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"IBM","product":"App Connect Enterprise","version":"affected 13.0.1.0 13.0.7.2 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"App Connect Enterprise","version":"affected 12.0.1.0 12.0.12.26 semver","platforms":[]},{"source":"CNA","vendor":"IBM","product":"Integration Bus for z/OS","version":"affected 10.1.0.0 10.1.0.7 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS Affected Product(s)Version(s)APARRemediation / FixesIBM App Connect Enterprise13.0.1.0 - 13.0.7.2PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0IBM App Connect Enterprise12.0.1.0 - 12.0.12.26 PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27IBM Integration Bus for z/OS10.1.0.0 - 10.1.0.7PH71150Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from IBM Fix Central","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"app_connect_enterprise","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"3602","cve":"CVE-2026-3602","epss":"0.001610000","percentile":"0.057000000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:12"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-3602","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-30T19:30:51.792018Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-30T19:31:02.140Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:app_connect_enterprise:13.0.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:app_connect_enterprise:13.0.7.2:*:*:*:*:*:*:*","cpe:2.3:a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:app_connect_enterprise:12.0.12.26:*:*:*:*:*:*:*"],"product":"App Connect Enterprise","vendor":"IBM","versions":[{"lessThanOrEqual":"13.0.7.2","status":"affected","version":"13.0.1.0","versionType":"semver"},{"lessThanOrEqual":"12.0.12.26","status":"affected","version":"12.0.1.0","versionType":"semver"}]},{"cpes":["cpe:2.3:a:ibm:integration_bus_for_zos:10.1.0.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:integration_bus_for_zos:10.1.0.7:*:*:*:*:*:*:*"],"product":"Integration Bus for z/OS","vendor":"IBM","versions":[{"lessThanOrEqual":"10.1.0.7","status":"affected","version":"10.1.0.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.</p>"}],"value":"IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"CWE-73 External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T19:19:47.135Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7278350"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p><strong>IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS </strong></p><div><table><colgroup><col/><col/><col/><col/></colgroup><tbody><tr><td>Affected Product(s)</td><td>Version(s)</td><td>APAR</td><td>Remediation / Fixes</td></tr><tr><td>IBM App Connect Enterprise</td><td>13.0.1.0 - 13.0.7.2</td><td>PH71150</td><td><p>The APAR (PH71150) is available from</p><p><a href=\"https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-13080\" rel=\"noopener noreferrer nofollow\">IBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0</a></p></td></tr><tr><td>IBM App Connect Enterprise</td><td>12.0.1.0 - 12.0.12.26 </td><td>PH71150</td><td><p>The APAR (PH71150) is available from</p><p><a href=\"https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-1201227-fix-pack\" rel=\"noopener noreferrer nofollow\">IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27</a></p></td></tr><tr><td>IBM Integration Bus for z/OS</td><td>10.1.0.0 - 10.1.0.7</td><td>PH71150</td><td><p>Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from </p><p><a href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/Integration+Bus&amp;release=10.1.0.7&amp;platform=All&amp;function=aparId&amp;apars=PH71150\" rel=\"nofollow\">IBM Fix Central</a></p></td></tr></tbody></table></div>"}],"value":"IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS Affected Product(s)Version(s)APARRemediation / FixesIBM App Connect Enterprise13.0.1.0 - 13.0.7.2PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v13- Fix Pack Release 13.0.8.0IBM App Connect Enterprise12.0.1.0 - 12.0.12.26 PH71150The APAR (PH71150) is available fromIBM App Connect Enterprise v12- Fix Pack Release 12.0.12.27IBM Integration Bus for z/OS10.1.0.0 - 10.1.0.7PH71150Interim Fix for APAR (PH71150) is available to apply to 10.1.0.7 from IBM Fix Central"}],"title":"IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2026-3602","datePublished":"2026-06-30T19:19:47.135Z","dateReserved":"2026-03-05T14:48:57.881Z","dateUpdated":"2026-06-30T19:31:02.140Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-30 20:17:29","lastModifiedDate":"2026-07-02 18:21:11","problem_types":["CWE-73","CWE-89","CWE-73 CWE-73 External Control of File Name or Path"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-30T19:30:51.792018Z","id":"CVE-2026-3602","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0.1.0","versionEndExcluding":"12.0.12.27","matchCriteriaId":"D5CD92AB-F8EC-4E5C-B615-E35C2A8D6D47"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:*","versionStartIncluding":"13.0.1.0","versionEndExcluding":"13.0.8.0","matchCriteriaId":"DE1CEC0F-3CE0-4107-B371-51F83EA2999B"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:integration_bus:*:*:*:*:*:*:*:*","versionStartIncluding":"10.1.0.0","versionEndIncluding":"10.1.0.7","matchCriteriaId":"0EA74015-3852-4BD9-84F1-038BCE95090A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:ibm:z\\/os:-:*:*:*:*:*:*:*","matchCriteriaId":"0E97A964-6F9E-4C87-9B90-21AE2C1DF52F"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3602","Ordinal":"1","Title":"IBM App Connect Enterprise and IBM Integration Bus for z/OS tool","CVE":"CVE-2026-3602","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3602","Ordinal":"1","NoteData":"IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.","Type":"Description","Title":"IBM App Connect Enterprise and IBM Integration Bus for z/OS tool"}]}}}