{"api_version":"1","generated_at":"2026-05-01T12:30:47+00:00","cve":"CVE-2026-6389","urls":{"html":"https://cve.report/CVE-2026-6389","api":"https://cve.report/api/cve/CVE-2026-6389.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6389","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6389"},"summary":{"title":"IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability","description":"IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.","state":"PUBLISHED","assigner":"ibm","published_at":"2026-04-30 22:16:26","updated_at":"2026-04-30 22:16:26"},"problem_types":["CWE-269","CWE-269 CWE-269 Improper Privilege Management"],"metrics":[{"version":"3.1","source":"psirt@us.ibm.com","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.ibm.com/support/pages/node/7270720","name":"https://www.ibm.com/support/pages/node/7270720","refsource":"psirt@us.ibm.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6389","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6389","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"IBM","product":"Turbonomic prometurbo agent","version":"affected 8.16.0 8.17.6 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\n\nProduct(s)Version(s) number and/or range Remediation/Fix/InstructionsIBM Turbonomic prometurbo agent8.18.0\n\nFollow the installation instructions https://www.ibm.com/docs/en/tarm/8.19.4 from the IBM Turbonomic documentation","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"This vulnerability was reported to IBM by Lior Yakim.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:*:*:*:*:*:*:*"],"product":"Turbonomic prometurbo agent","vendor":"IBM","versions":[{"lessThanOrEqual":"8.17.6","status":"affected","version":"8.16.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"This vulnerability was reported to IBM by Lior Yakim."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.

"}],"value":"IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-269","description":"CWE-269 Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-30T21:17:06.371Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7270720"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.

Product(s)Version(s) number and/or range Remediation/Fix/Instructions
IBM Turbonomic prometurbo agent8.18.0

Follow the installation instructions from the IBM Turbonomic documentation

"}],"value":"IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\n\nProduct(s)Version(s) number and/or range Remediation/Fix/InstructionsIBM Turbonomic prometurbo agent8.18.0\n\nFollow the installation instructions https://www.ibm.com/docs/en/tarm/8.19.4 from the IBM Turbonomic documentation"}],"title":"IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2026-6389","datePublished":"2026-04-30T21:17:06.371Z","dateReserved":"2026-04-15T19:41:36.801Z","dateUpdated":"2026-04-30T21:17:06.371Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-30 22:16:26","lastModifiedDate":"2026-04-30 22:16:26","problem_types":["CWE-269","CWE-269 CWE-269 Improper Privilege Management"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2,"impactScore":6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6389","Ordinal":"1","Title":"IBM Turbonomic Prometurbo agent used by IBM Turbonomic Applicati","CVE":"CVE-2026-6389","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6389","Ordinal":"1","NoteData":"IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.","Type":"Description","Title":"IBM Turbonomic Prometurbo agent used by IBM Turbonomic Applicati"}]}}}