CVE-2026-7870: IBM i is Affected by Privilege Escalation []
IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A privilege escalation vulnerability affects IBM i versions 7.3 through 7.6, caused by an unqualified library call that allows user-controlled code to be substituted and executed with administrator privileges. The flaw is reachable over the network and requires only a low-privilege account to exploit, with no victim interaction needed. Successful exploitation gives an attacker full read, write, and availability control over the affected system. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as IBM publishes a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images, as they pass through registries and CI/CD pipelines.
AvailableHarborGuard scores this issue at CVSS 8.8 (High) and is capable of weighting that score against each customer environment's compliance policy to surface it to the appropriate team inbox without manual routing.
AvailableBecause no fix versions have been published by IBM, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable service is exposed over the network, so an attacker must be able to reach it remotely.
- AuthenticationRequired
A low-privilege account is sufficient; no administrative credentials are needed to trigger the unqualified library call.
- Victim interactionNot required
No user action or social engineering is needed; the attacker can exploit the flaw directly.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configuration.
Blast Radius
- A successful attacker executes arbitrary code with administrator privileges on the IBM i system.
- Confidential data stored on the system, including application data and credentials, becomes fully readable.
- The attacker can modify or delete persisted data, configuration files, and system objects.
- The attacker can crash or deny availability to services running on the affected IBM i instance.
How HarborGuard Handles This
Available on HarborGuard: because IBM has not yet published a fix for CVE-2026-7870, HarborGuard continuously monitors the advisory across ingest cycles and will surface a patched-image rebuild the moment IBM releases a corrected version. In the meantime, customers are advised to apply compensating controls where possible: restrict network access to IBM i service endpoints using network policy or firewall rules, limit which accounts can invoke the affected library paths, and consider feature-flag or configuration-level gating of the vulnerable call if supported by your deployment. For customers with auto-remediation enabled, once a fix version is published, HarborGuard will automatically trigger a rebuild, run regression tests, and open a PR against affected workloads.
- IBM / i7.6 · 7.5 · 7.4 · 7.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H