CVE-2026-12084

MEDIUM

IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains

Title source: cna
STIX 2.1

Description

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
https://www.ibm.com/support/pages/node/7277575

Scores

CVSS v3 5.4
EPSS 0.0016
EPSS Percentile 5.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-942
Status published
Products (3)
ibm/devops_deploy 8.1.0.0 - 8.1.2.7
IBM/UCD - IBM DevOps Deploy 8.1.0 - 8.1.2.6
IBM/UCD - IBM DevOps Deploy 8.2.0 - 8.2.1.0
Published Jun 30, 2026
Tracked Since Jul 01, 2026