CVE-2026-3676: IBM Db2 APM: DoS via query special element injection

MEDIUM
Published May 27, 2026
CISO Take

An authenticated attacker with low privileges can crash IBM Cloud APM 8.1.4 and IBM Db2 by injecting special characters into query logic targeting the Fenced environment, a sandboxed execution layer for external stored procedures. With a CVSS 6.5 and network-accessible attack vector requiring no user interaction, this is exploitable by any authenticated database user — including service accounts commonly provisioned for AI/ML data pipelines. There is no public exploit and no CISA KEV listing, but Db2 instances serving as backend stores for training data, feature stores, or analytics workloads face availability risk if left unpatched. Apply IBM's patch referenced at https://www.ibm.com/support/pages/node/7273649 and audit service accounts with query execution rights on Fenced-enabled instances.

Sources: NVD ibm.com ATLAS

What is the risk?

Medium risk overall. CVSS 6.5 reflects authenticated access requirement (reducing opportunistic exploitation) but the network vector, low complexity, and zero user interaction lower the bar significantly for any insider or compromised service account. AI/ML pipelines that rely on Db2 as a persistent store — including those feeding real-time inference or training jobs — face a targeted availability threat. No EPSS data available and no public exploit reduce immediate urgency, but the Fenced environment is a privileged execution context, and a DoS here can cascade into pipeline stalls or data ingestion failures.

How does the attack unfold?

Initial Access
Attacker authenticates to IBM Db2 or Cloud APM using a low-privilege service account, such as one provisioned for an AI/ML data pipeline.
AML.T0012
Exploitation
Attacker submits a crafted query containing special characters that are not properly validated by the Fenced environment query logic (CWE-1284), triggering the vulnerability.
AML.T0049
Impact — Service Denial
The Fenced daemon crashes, halting execution of stored procedures and UDFs, causing availability loss for AI/ML pipelines dependent on Db2 for data access or feature computation.
AML.T0029

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps
  1. Apply the fix referenced in IBM advisory https://www.ibm.com/support/pages/node/7273649 for IBM Cloud APM 8.1.4 and IBM Db2 for Linux/UNIX/Windows.

  2. Audit and restrict EXECUTE privileges on Fenced stored procedures to only accounts that require them — principle of least privilege limits blast radius.

  3. Enable database audit logging to detect abnormal query patterns with special characters against Fenced routines.

  4. For AI/ML pipelines using Db2, add availability monitoring and automatic failover to detect and recover from unexpected Db2 Fenced environment crashes.

  5. Until patched, consider disabling or restricting Fenced mode execution for non-essential procedures.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
8.4 - AI System Operation
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-3676?

An authenticated attacker with low privileges can crash IBM Cloud APM 8.1.4 and IBM Db2 by injecting special characters into query logic targeting the Fenced environment, a sandboxed execution layer for external stored procedures. With a CVSS 6.5 and network-accessible attack vector requiring no user interaction, this is exploitable by any authenticated database user — including service accounts commonly provisioned for AI/ML data pipelines. There is no public exploit and no CISA KEV listing, but Db2 instances serving as backend stores for training data, feature stores, or analytics workloads face availability risk if left unpatched. Apply IBM's patch referenced at https://www.ibm.com/support/pages/node/7273649 and audit service accounts with query execution rights on Fenced-enabled instances.

Is CVE-2026-3676 actively exploited?

No confirmed active exploitation of CVE-2026-3676 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3676?

1. Apply the fix referenced in IBM advisory https://www.ibm.com/support/pages/node/7273649 for IBM Cloud APM 8.1.4 and IBM Db2 for Linux/UNIX/Windows. 2. Audit and restrict EXECUTE privileges on Fenced stored procedures to only accounts that require them — principle of least privilege limits blast radius. 3. Enable database audit logging to detect abnormal query patterns with special characters against Fenced routines. 4. For AI/ML pipelines using Db2, add availability monitoring and automatic failover to detect and recover from unexpected Db2 Fenced environment crashes. 5. Until patched, consider disabling or restricting Fenced mode execution for non-essential procedures.

What systems are affected by CVE-2026-3676?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Data analytics backends, Feature stores, Model monitoring infrastructure.

What is the CVSS score for CVE-2026-3676?

CVE-2026-3676 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.40%.

What is the AI security impact?

Affected AI Architectures

Training pipelinesData analytics backendsFeature storesModel monitoring infrastructure

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.

Exploitation Scenario

An attacker with a compromised low-privilege service account — such as one used by a data ingestion pipeline feeding an ML training job — authenticates to an IBM Db2 instance running the affected version. They craft a query string containing special characters that bypass input validation in the Fenced environment query logic (CWE-1284: improper validation of specified quantity in input). Upon execution, the Fenced daemon crashes, taking down all stored procedures and UDFs running in that context. Downstream AI/ML batch jobs that depend on Db2 stored procedures for feature computation or data transformation silently fail or stall, causing training data corruption by omission or delaying model retraining cycles — creating a subtle, hard-to-detect operational disruption.

Weaknesses (CWE)

CWE-1284 — Improper Validation of Specified Quantity in Input: The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
May 27, 2026
Last Modified
June 2, 2026
First Seen
May 27, 2026

Related Vulnerabilities