CVE-2026-3660 IBM CVE debrief

Who should care

Organizations running IBM Engineering Lifecycle Management 7.0.3, 7.1.0, or 7.2.0 for software or systems engineering lifecycle management, particularly those with externally accessible deployments. Security teams responsible for application security in engineering and development environments. Compliance officers tracking critical vulnerability remediation timelines.

Technical summary

The vulnerability exists in IBM Engineering Lifecycle Management versions 7.0.3, 7.1.0, and 7.2.0. An unauthenticated attacker can remotely update server property files, which control application configuration and access controls. By manipulating these files, the attacker can escalate privileges and gain unauthorized access to the application. The attack requires no authentication, no user interaction, and is exploitable over the network with low complexity. The CVSS 3.1 score of 9.8 reflects complete confidentiality, integrity, and availability impact.

Defensive priority

critical

Recommended defensive actions

• Apply IBM's security update for Engineering Lifecycle Management 7.0.3, 7.1.0, or 7.2.0 as referenced in the vendor security bulletin
• Restrict network access to ELM administrative interfaces to trusted hosts only until patching is complete
• Monitor application logs for unauthorized property file modifications or unexpected configuration changes
• Verify integrity of server property files and restore from known-good backups if unauthorized changes are detected
• Review user access logs for anomalous administrative activity following the disclosure date

Evidence notes

CVE published 2026-05-26T19:16:27.707Z; modified 2026-05-26T21:16:36.883Z. IBM PSIRT reference confirmed. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CWE-863 identified. NVD status: Undergoing Analysis.

Official resources