PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2607 IBM CVE debrief

IBM MQ Operator and IBM-supplied MQ Advanced container images store potentially sensitive information in log files that could be read by a local user. The vulnerability affects multiple release streams: SC2 (v3.2.0 through 3.2.23, and container images 9.4.0.6 through 9.4.0.20-r1), CD (v3.3.0 through v3.9.1, and container images 9.4.1.0-r1 through 9.4.5.0-r2), and LTS (v2.0.0 through 2.0.29, and container images 9.3.0.0-r1 through 9.4.0.5-r2). The CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a local attack vector with high attack complexity, requiring no privileges or user interaction, resulting in high confidentiality impact with no integrity or availability impact. The weakness is categorized as CWE-532 (Insertion of Sensitive Information into Log File).

Vendor
IBM
Product
MQ Operator
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running IBM MQ Operator or IBM-supplied MQ Advanced container images in Kubernetes/OpenShift environments, particularly those with multi-tenant or shared-node deployments where local user access controls may be insufficiently restrictive.

Technical summary

IBM MQ deployments using affected Operator versions and container images write potentially sensitive information to log files without adequate access controls, allowing local users to read confidential data. The vulnerability spans extensive version ranges across SC2, CD, and LTS release streams. Attack complexity is rated high, limiting exploitation likelihood, but successful access could expose credentials or other sensitive operational data.

Defensive priority

medium

Recommended defensive actions

  • Review IBM security bulletin for affected versions and patch availability
  • Audit MQ log file permissions to restrict local access
  • Identify and rotate any credentials potentially exposed in MQ logs
  • Monitor for unauthorized local access to MQ log directories
  • Apply IBM-provided fixes when available per vendor guidance

Evidence notes

CVE published and modified 2026-05-27. IBM PSIRT reference provided. Awaiting NVD analysis.

Official resources

2026-05-27