CVE-2026-4051

Vulnerability

CVE-2026-4051 is a post-authentication remote code execution (RCE) vulnerability in IBM Engineering Lifecycle Management – Jazz Foundation versions 7.0.3 (through iFix021), 7.1.0 (through iFix009), and 7.2.0 (through iFix001). The root cause is an exposed dangerous method or function (CWE-749) that is not properly restricted, allowing an authenticated user with administrative privileges to invoke it. [1]

Exploitation

An attacker must already have administrative privileges on the affected system. With valid credentials, they can send a crafted request to the vulnerable, exposed method over the network (attack vector: network). No user interaction is required. The sequence consists of authenticating as an administrator and then invoking the unsecured method to execute arbitrary code on the server. [1]

Impact

Successful exploitation results in complete compromise of confidentiality, integrity, and availability (CVSS v3.1 Base Score 7.2, High). The attacker achieves remote code execution with full system privileges, leading to disclosure of sensitive data, modification or destruction of data, and potential denial of service. [1]

Mitigation

IBM has released iFixes: upgrade to iFix022 for version 7.0.3, iFix010 for 7.1.0, and iFix002 for 7.2.0. No workarounds or mitigations are available. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog as of the publication date. [1]