CVE-2026-3660

Vulnerability

IBM Engineering Lifecycle Management – Jazz Foundation versions 7.0.3 (through iFix021), 7.1.0 (through iFix009), and 7.2.0 (through iFix001) contain an incorrect authorization vulnerability (CWE-863) that allows an unauthenticated remote attacker to update server property files [1]. By modifying these configuration files, the attacker can bypass authentication controls and gain unauthorized access to the application.

Exploitation

An attacker can exploit this vulnerability over the network without any authentication or user interaction. The attack complexity is low because the vulnerable endpoint or mechanism that permits writing to server property files is exposed without proper access controls [1]. No special privileges or prior access are required.

Impact

Successful exploitation leads to authentication bypass, giving the attacker the ability to gain unauthorized access to the IBM Engineering Lifecycle Management application. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a compromise of confidentiality, integrity, and availability at a high severity level [1].

Mitigation

IBM has released iFixes to address this vulnerability: iFix022 for version 7.0.3, iFix010 for version 7.1.0, and iFix002 for version 7.2.0 [1]. No workarounds are available [1]. Organizations should apply the appropriate iFix as soon as possible to prevent exploitation.