CVE-2026-2607 - Vulnerability Details

IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

MQ Operator

affected

Version	Status	Constraints
`SC2: v3.2.0`	affected	≤ 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29

IBM

supplied MQ Advanced container images

affected

Version	Status	Constraints
`SC2: 9.4.0.6`	affected	≤ r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Ibm Subscribe	Mq Operator Subscribe Supplied Mq Advanced Container Images Subscribe

Project Subscriptions

Vendors	Products
Ibm Subscribe	Mq Operator Subscribe Supplied Mq Advanced Container Images Subscribe

Advisories

No advisories yet.

Fixes

Solution

Issues mentioned by this security bulletin are addressed in - * IBM MQ Operator v3.9.2 CD release that included IBM supplied MQ Advanced 9.4.5.1-r1 container image. * IBM MQ Operator v3.2.24 SC2 release that included IBM supplied MQ Advanced 9.4.0.21-r1 container image. * IBM MQ Container 9.4.5.0-r2 release. IBM strongly recommends applying the latest container images. IBM MQ Operator v3.9.2 CD release details: Image Fix Version Registry Image Location ibm-mq-operator v3.9.2 icr.io icr.io/cpopen/ibm-mq-operator@sha256:a62c6c91c4d0acccc8231e8639ecb5da9a49ba8475a2c38655446a2fc22e0fcf ibm-mqadvanced-server 9.4.5.1-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:7b69ef7c554ced9825b450209c304669626082282b9f5eb021b051acea49a1a0 ibm-mqadvanced-server-integration 9.4.5.1-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:b7cc492502f9a8072a47e794697094f8f3607ab745814befd881389a088d8045 ibm-mqadvanced-server-dev 9.4.5.1-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:28cd7e9dc413eced83b21e02cd3683966f19ef22867bbc7ca8c1ed19d062f986 IBM MQ Operator v3.2.24 SC2 release details: Image Fix Version Registry Image Location ibm-mq-operator v3.2.24 icr.io icr.io/cpopen/ibm-mq-operator@sha256:9b99e07fe04f690be7f0c8b60d15b32c72b9964e3043a818eb1339a8ad8b1f3f ibm-mqadvanced-server 9.4.0.21-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:3782667654290147084436f31e21e7890aecb1c86dc0a8906e9eda966123b0fd ibm-mqadvanced-server-integration 9.4.0.21-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:647a2562789ddbd2bcba20c74a3309c349105f0b32357366a22b02c7666d70be ibm-mqadvanced-server-dev 9.4.0.21-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:be50e5e2de4faa4cbeab504e5439a5a1c01a6fe7bfbffc5de0091f1a0457efca IBM MQ Container 9.4.5.1-r1 release details: Image Fix Version Registry Image Location ibm-mqadvanced-server 9.4.5.1-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:7b69ef7c554ced9825b450209c304669626082282b9f5eb021b051acea49a1a0 ibm-mqadvanced-server-dev 9.4.5.1-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:28cd7e9dc413eced83b21e02cd3683966f19ef22867bbc7ca8c1ed19d062f986

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.ibm.com/support/pages/node/7273145

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.
Title		Multiple vulnerabilities in IBM MQ Operator and Queue manager container images
First Time appeared		Ibm Ibm mq Operator Ibm supplied Mq Advanced Container Images
Weaknesses		CWE-532
CPEs		cpe:2.3:a:ibm:mq_operator:3.2.23:cd:::::::* cpe:2.3:a:ibm:mq_operator:sc2:::::::* cpe:2.3:a:ibm:supplied_mq_advanced_container_images:r1:::::::* cpe:2.3:a:ibm:supplied_mq_advanced_container_images:sc2:::::::*
Vendors & Products		Ibm Ibm mq Operator Ibm supplied Mq Advanced Container Images
References		https://www.ibm.com/support/pages/node/7273145
Metrics		cvssV3_1 `{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-27T12:20:42.199Z

Updated: 2026-05-27T12:20:42.199Z

Reserved: 2026-02-16T22:18:10.093Z

Link: CVE-2026-2607

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:44.517

Modified: 2026-05-27T14:53:51.833

Link: CVE-2026-2607

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:45:32Z

Weaknesses

CWE-532

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object