IBM Guardium DP 12.1 dir traversal -> arbitrary file write via crafted URL
CVE-2026-4917 Published on April 22, 2026

IBM Guardium Data Protection is affected by multiple vulnerabilities
IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-4917 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-4917 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2026-4917

Want to know whenever a new CVE is published for IBM Guardium Data Protection? stack.watch will email you.

IBM Guardium Data Protection
 

Affected Versions

IBM Guardium Data Protection Version 12.1 is affected by CVE-2026-4917