CVE-2026-42930: BIG-IP Admin role bypasses Appliance Mode
CVE-2026-42930 Published on May 13, 2026

Appliance mode iControl REST vulnerability
When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-42930 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

Path Traversal: '.../...//'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Products Associated with CVE-2026-42930

Want to know whenever a new CVE is published for F5 Networks Big Ip? stack.watch will email you.

F5 Networks Big Ip

Affected Versions

F5 BIG-IP:

Version 21.1.0 and below * is unaffected.
Version 21.0.0 and below 21.0.0.2 is affected.
Version 17.5.0 and below 17.5.1.6 is affected.
Version 17.1.0 and below 17.1.3.2 is affected.
Version 16.1.0 and below * is affected.

CVE-2026-42930: BIG-IP Admin role bypasses Appliance ModeCVE-2026-42930 Published on May 13, 2026

Vulnerability Analysis

Weakness Type

Path Traversal: '.../...//'

Products Associated with CVE-2026-42930

Affected Versions

CVE-2026-42930: BIG-IP Admin role bypasses Appliance Mode
CVE-2026-42930 Published on May 13, 2026