{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7876", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-05-05T16:12:39.223Z", "datePublished": "2026-05-27T13:56:16.166Z", "dateUpdated": "2026-06-11T14:05:33.251Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-11T14:05:33.251Z"}, "title": "Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Aspera HSTS for CP4I", "versions": [{"status": "affected", "version": "1.5.1", "lessThanOrEqual": "1.5.19", "versionType": "semver"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u00a0is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19&nbsp;is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7274127", "tags": ["vendor-advisory", "patch"]}], "solutions": [{"lang": "en", "value": "Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)1.5.20-\u00a0Access your charts to get the latest version", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><table><tbody><tr><td><strong>Product(s)</strong></td><td><strong>VRMF</strong></td><td><strong>Remediation/First Fix</strong></td></tr><tr><td>IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)</td><td>1.5.20</td><td>-&nbsp;Access your charts to get the latest version</td></tr></tbody></table></div>"}]}], "credits": [{"lang": "en", "value": "The vulnerabilities were reported to IBM by Yannik Marchand.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-28T14:21:36.215142Z", "id": "CVE-2026-7876", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T14:21:59.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-7876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-28T14:21:36.215142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T14:21:55.302Z"}}], "cna": {"title": "Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "The vulnerabilities were reported to IBM by Yannik Marchand."}], "affected": [{"cpes": ["cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:aspera_hsts_for_cp4i:1.5.19:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Aspera HSTS for CP4I", "versions": [{"status": "affected", "version": "1.5.1", "versionType": "semver", "lessThanOrEqual": "1.5.19"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)1.5.20-\u00a0Access your charts to get the latest version", "supportingMedia": [{"type": "text/html", "value": "<div><table><tbody><tr><td><strong>Product(s)</strong></td><td><strong>VRMF</strong></td><td><strong>Remediation/First Fix</strong></td></tr><tr><td>IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)</td><td>1.5.20</td><td>-&nbsp;Access your charts to get the latest version</td></tr></tbody></table></div>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7274127", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u00a0is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19&nbsp;is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-11T14:05:33.251Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7876", "state": "PUBLISHED", "dateUpdated": "2026-06-11T14:05:33.251Z", "dateReserved": "2026-05-05T16:12:39.223Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-05-27T13:56:16.166Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:aspera_high-speed_transfer_server_for_cloud_pak_for_integration:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA132BA2-35FB-4791-9F4F-97090025751F", "versionEndExcluding": "1.5.20", "versionStartIncluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19\u00a0is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to, when specific restriction settings are not in place."}], "id": "CVE-2026-7876", "lastModified": "2026-06-11T14:16:32.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-05-27T14:17:35.727", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7274127"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "psirt@us.ibm.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.1,1.5.19]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Aspera HSTS for CP4I", "source": "cna", "vendor": "IBM"}, "product": "aspera_hsts_for_cp4i", "vendor": "ibm"}], "created": "2026-05-27T20:00:05.924730+00:00", "updated": "2026-05-29T23:00:14.670829+00:00", "vendors": ["ibm", "ibm$PRODUCT$aspera_hsts_for_cp4i"]}