SB2026040819 - Multiple vulnerabilities in IBM App Connect Enterprise Certified

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040819

SB2026040819 - Multiple vulnerabilities in IBM App Connect Enterprise Certified

Published: April 8, 2026

Security Bulletin ID SB2026040819
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2026-27137)

The vulnerability allows a remote attacker to bypass email address constraints during X.509 certificate chain verification.

The vulnerability exists due to improper enforcement of email constraints in crypto/x509 when verifying certificate chains containing multiple email address constraints with shared local parts but different domains. A remote attacker can present a certificate chain with malformed email constraints to cause only the last constraint to be applied, leading to improper validation.

This issue only affects Go 1.26 and requires the certificate chain to chain to a trusted root. A trusted CA must issue the malicious certificate.


2) Error Handling (CVE-ID: CVE-2026-27138)

The vulnerability allows a remote attacker to cause a denial of service via application crash during X.509 certificate verification.

The vulnerability exists due to a panic in name constraint checking in crypto/x509 when processing a certificate chain containing a certificate with an empty DNS name and another certificate with excluded name constraints. A remote attacker can send a specially crafted certificate chain to trigger a panic during verification.

This issue only affects Go 1.26 and requires the certificate chain to chain to a trusted root. A trusted CA must issue the malformed certificate.


Remediation

Install update from vendor's website.

References