CVE-2026-6389 PUBLISHED

IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability

Assigner: ibm
Reserved: 15.04.2026 Published: 30.04.2026 Updated: 30.04.2026

IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	IBM
Product	Turbonomic prometurbo agent
Versions	affected from 8.16.0 to 8.17.6 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.

Product(s)Version(s) number and/or range Remediation/Fix/InstructionsIBM Turbonomic prometurbo agent8.18.0

Follow the installation instructions https://www.ibm.com/docs/en/tarm/8.19.4 from the IBM Turbonomic documentation

Credits

This vulnerability was reported to IBM by Lior Yakim. finder

References

https://www.ibm.com/support/pages/node/7270720

Problem Types

CWE-269 Improper Privilege Management CWE