IBM UCD/DevOps Deploy 7.3-8.2 API Response Sensitive Disclosure
CVE-2026-12085 Published on June 30, 2026
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability
IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
Vulnerability Analysis
CVE-2026-12085 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).
Products Associated with CVE-2026-12085
stack.watch emails you whenever new vulnerabilities are published in Ucd Ibm Urbancode Deploy or Ucd Ibm Devops Deploy. Just hit a watch button to start following.
Affected Versions
UCD - IBM UrbanCode Deploy:- Version 7.3.0, <= 7.3.2.18 is affected.
- Version 8.0, <= 8.0.1.13 is affected.
- Version 8.1.0, <= 8.1.2.6 is affected.
- Version 8.2.0, <= 8.2.1.0 is affected.