CVE-2026-39459
Published: 13 May 2026
Summary
CVE-2026-39459 is a high-severity Least Privilege Violation (CWE-272) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29968
Vulnerability details
A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of…
more
Technical Support (EoTS) are not evaluated.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth privileged arbitrary command execution via config objects directly enables local privilege escalation and Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and update requirements help detect and correct least privilege violations in practice.
Access reviews verify and enforce adherence to least privilege by identifying excess permissions.
Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege.
Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities.
Enforces the least privilege principle to avoid violations of minimal necessary access.
Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused.
The control mandates acknowledgment of least-privilege expectations, making violations by authorized users less likely.
Risk Executive role ensures least privilege is applied uniformly rather than left to individual system owners or projects.