CVE-2026-1264
Published: 17 March 2026
Summary
CVE-2026-1264 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ibm Sterling B2B Integrator. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly defines and prohibits critical actions without identification or authentication, directly addressing the missing authentication for viewing and deleting partners and communities.
AC-3 enforces approved authorizations for logical access, preventing unauthorized remote attackers from viewing partner details or deleting communities and partners.
AC-6 enforces least privilege, restricting low-privilege (PR:L) users from performing high-integrity impact actions like partner and community deletions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on critical functions in a public-facing B2B application directly enables remote exploitation of the exposed endpoints for unauthorized actions.
NVD Description
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 allows a remote unauthenticated attacker to view and delete the partners of a community and to delete the communities.
Deeper analysisAI
CVE-2026-1264 is a vulnerability affecting IBM Sterling B2B Integrator and IBM Sterling File Gateway in versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0. Published on 2026-03-17, it stems from CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N). The flaw enables a remote unauthenticated attacker to view and delete partners within a community and to delete entire communities.
A low-privilege remote attacker (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants limited confidentiality access, such as viewing partner details (C:L), but primarily results in high integrity impact (I:H) by allowing deletion of partners and communities, potentially disrupting B2B operations without affecting availability.
The IBM security bulletin at https://www.ibm.com/support/pages/node/7266518 details available patches and mitigation steps for affected versions.
Details
- CWE(s)