CVE-2026-7876

Vulnerability

IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19 are affected by an authentication bypass vulnerability (CWE-287). A transfer client can bypass authentication under certain configurations where specific restriction settings are not in place, leading to unauthorized access to files in the server's local storage [1].

Exploitation

An attacker with network access to the affected Aspera HSTS service can trigger the vulnerability without requiring any prior authentication or user interaction. The attack complexity is low, and the conditions depend on the absence of specific restriction settings that would normally block this access path [1].

Impact

Successful exploitation allows the attacker to read files in the server's local storage that would otherwise be restricted. The CVSS vector indicates high impact on confidentiality and integrity, with no impact on availability [1]. The attacker gains unauthorized read and potentially write access to sensitive data stored on the server.

Mitigation

IBM has released version 1.5.20 of Aspera High-Speed Transfer Server for CP4I, which fixes the vulnerability. Users should upgrade to this version by accessing their charts to obtain the latest release. No workarounds or mitigations are available [1].