CVE-2026-3676 PUBLISHED

There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Assigner: ibm
Reserved: 06.03.2026 Published: 27.05.2026 Updated: 27.05.2026

IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	IBM
Product	Cloud APM, Base Private
Versions	affected from 8.1.4 to ) Interim Fix 021 (incl.)

Vendor	IBM
Product	Cloud APM, Advanced Private
Versions	Version 8.1.4 is affected

Solutions

The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:

Security Bulletin: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&fixids=8.1.4.0-IBM-APM-SERVER-IF0019&source=SAR&function=fixId&parent=IBM%20Performance%20Management%20family

References

https://www.ibm.com/support/pages/node/7273649

Problem Types

CWE-1284 Improper Validation of Specified Quantity in Input CWE