CVE-2026-6938

Vulnerability

IBM Db2 versions 12.1.0 through 12.1.4 on Linux and Unix (Windows is not affected) contain an improper authorization vulnerability (CWE-285) when uploading to a remote object storage path. The issue is reachable during LOAD operations that use the COPY YES clause with a specially crafted query referencing a DB2REMOTE:// URI. The affected product editions are the Db2 Server, including earlier unsupported releases (10.1, 9.7, etc.) [1].

Exploitation

An attacker must have a valid Db2 user account (low privileges, PR:L in CVSS) and network access to the system. The attacker can craft a LOAD command using a COPY YES clause with a special query that references a remote object storage path (DB2REMOTE://). This bypasses the intended authorization checks, allowing the attacker to upload data to remote storage without proper permissions [1]. IBM has not disclosed additional replication steps to prevent malicious exploitation [1].

Impact

Successful exploitation allows the attacker to write or overwrite data to a remote object storage location, violating the intended authorization policy. The confidentiality and availability of the system are not directly compromised, but integrity is affected (CVSS:A/H, N/A for C and A). The attacker does not need user interaction [1].

Mitigation

IBM has released a special build containing the interim fix for V12.1.4, available from Fix Central. Customers on V12.1 (or earlier supported versions) can apply this build to any affected level of the appropriate release. As a workaround, use the LOAD COPY command with the COPY YES clause via a direct command instead of the DB2_LOAD_COPY_NO_OVERRIDE registry variable. Earlier unsupported releases (10.1, 9.7, etc.) should be upgraded to a supported version; no fix is available for those [1].