IBM's May 2026 Patch Dump: 25 CVEs Span Aspera, Db2, Langflow, and More
IBM disclosed 25 vulnerabilities across a dozen product lines on May 27, 2026, including critical buffer-overflow bugs in Aspera High-Speed Transfer and a critical RCE in Langflow.
IBM released a massive coordinated disclosure on May 27, 2026, publishing 25 CVEs spanning more than a dozen product families — from Aspera file-transfer appliances and Db2 database servers to Langflow AI pipelines, WebSphere Liberty, and QRadar SIEM. The batch includes two Critical-severity flaws (CVSS 9.8 and 9.1), six High-severity bugs, and a long tail of Medium-severity issues that together demand attention from enterprise security teams running IBM infrastructure.
Aspera High-Speed Transfer bears the heaviest cluster. Four CVEs target the asperahttpd component across Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1. CVE-2026-8175 (CVSS 9.8, Critical) is a buffer overflow that an unauthenticated attacker can exploit to cause denial of service and potentially achieve arbitrary code execution. CVE-2026-8179 (CVSS 8.8, High) is a separate buffer overflow in the same component, though it requires authentication to exploit for arbitrary code execution. CVE-2026-8180 (CVSS 7.5, High) is an unauthenticated denial-of-service vector in asperahttpd, and CVE-2026-9035 (CVSS 6.5, Medium) allows an authenticated user to read arbitrary files through the same HTTP component. Separately, CVE-2026-7876 (CVSS 9.1, Critical) affects IBM Aspera HSTS for Cloud Pak for Integration versions 1.5.1 through 1.5.19, though the description is truncated in the advisory.
Langflow OSS ships a critical archive-extraction RCE. CVE-2026-7524 (CVSS 9.8, Critical) affects Langflow OSS 1.0.0 through 1.9.1 and stems from improper validation of symbolic links during archive extraction — a classic "symlink-follow" vulnerability that can let an attacker write files outside the intended extraction directory, potentially achieving remote code execution. A companion denial-of-service bug, CVE-2026-7528 (CVSS 7.1, High), affects the same product range through uncontrolled resource consumption.
Db2 and the database-adjacent product line account for six CVEs. CVE-2026-6938 (CVSS 6.5) is an authorization bypass in Db2 12.1.0–12.1.4 when uploading to remote object storage with a specially crafted query. Three denial-of-service bugs — CVE-2026-6053 (range-partitioned tables, CVSS 5.5), CVE-2026-6052 (MDC tables, CVSS 6.5), and CVE-2026-6051 (small statement heap, CVSS 5.5) — affect Db2 11.5.0–11.5.9 and 12.1.0–12.1.4. CVE-2026-1718 (CVSS 7.1, High) is another DoS vector in Db2 triggered by a specially crafted query when autonomous transactions are enabled. CVE-2026-3676 (CVSS 6.5) affects IBM Cloud APM (Base and Advanced Private 8.1.4) and stems from improper neutralization of special elements in data query logic within the Db2 fenced environment.
WebSphere and Liberty see two medium-severity flaws. CVE-2026-5516 (CVSS 4.4) affects WebSphere Liberty 22.0.0.11 through 26.0.0.5 and could let a remote attacker bypass security restrictions by exploiting a specific timing window. CVE-2026-4410 (CVSS 4.8) affects Liberty 19.0.0.7–26.0.0.5 and WebSphere Application Server 9.0 and 8.5, allowing denial of service via a specially crafted request.
Privilege escalation and credential exposure round out the batch. CVE-2026-3623 (CVSS 7.8, High) in IBM Netezza Performance Server Replication Services 3.0.2.0–3.0.5.0 lets a low-privileged attacker escalate to root, execute root-level commands, obtain a root shell, and change the root password. CVE-2026-7365 (CVSS 8.4, High) affects IBM Operations Analytics – Log Analysis and IBM SmartCloud Analytics – Log Analysis, which ship with default passwords from the manufacturing process — a classic authentication bypass vector. CVE-2026-8405 (CVSS 6.5) exposes sensitive credentials in debug mode in IBM Guardium Data Protection 12.2.1 and 12.2.2's Long Term Retention add-on. CVE-2026-3366 (CVSS 7.5, High) is a path-traversal vulnerability in IBM InfoSphere Optim Test Data Fabrication that lets a remote attacker read arbitrary files via ../ sequences. CVE-2026-5515 (CVSS 5.5) stores sensitive information in log files in IBM App Connect Enterprise 13.0.1.0–13.0.7.0. CVE-2026-1248 (CVSS 4.3) leaks database structure information in error messages from IBM Business Automation Workflow. CVE-2026-6936 (CVSS 6.5) is a denial-of-service via uncontrolled recursion in the ILE compiler on IBM i 7.3–7.6. CVE-2026-2607 (CVSS 5.1) affects IBM MQ Operator and MQ Advanced container images across a wide version range. CVE-2025-3633 (CVSS 5.4) is a cross-site scripting vulnerability in IBM Cognos Analytics and Cognos Transformer. Finally, CVE-2024-56462 (CVSS 7.2, High) affects IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002, allowing a privileged user to upload a malicious backup archive that could be restored to gain access to the underlying OS.
Patch status and response. IBM has published advisories for each CVE through its PSIRT channels. Affected versions and fix versions vary by product; administrators should consult the individual IBM Security Bulletins for their deployed products. The Aspera bugs affect versions up to 4.4.7 Fix Pack 1 — customers still on 3.7.4 or later should check for the latest fix pack. Langflow users should upgrade beyond 1.9.1. Db2 customers on 11.5.x and 12.1.x should apply the latest fix packs. For products with default credentials (CVE-2026-7365), changing those passwords immediately is the primary mitigation.