HIGHCVE-2026-20916Published 2026-05-13Modified 2026-05-13CNA f5

CVE-2026-20916: BIG-IQ iControl REST vulnerability

An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: 8.4.1
Affected Products: 1

Fix available

8.4.1

Patch commits

my.f5.com

Affected packages

F5 / BIG-IQ
< 8.4.1 (from 8.4.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

my.f5.com

Metrics

Fix available