CVE-2026-6389 - Vulnerability Details - OpenCVE

IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Turbonomic Prometurbo Agent

No data.

No data.

No data.

References

Link	Providers
https://www.ibm.com/support/pages/node/7270720

History

Thu, 30 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.
Title		IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability
First Time appeared		Ibm Ibm turbonomic Prometurbo Agent
Weaknesses		CWE-269
CPEs		cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:::::::* cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:::::::*
Vendors & Products		Ibm Ibm turbonomic Prometurbo Agent
References		https://www.ibm.com/support/pages/node/7270720
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-04-30T21:17:06.371Z

Updated: 2026-04-30T21:17:06.371Z

Reserved: 2026-04-15T19:41:36.801Z

Link: CVE-2026-6389

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-30T22:16:26.207

Modified: 2026-04-30T22:16:26.207

Link: CVE-2026-6389

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6389", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-04-15T19:41:36.801Z", "datePublished": "2026-04-30T21:17:06.371Z", "dateUpdated": "2026-04-30T21:17:06.371Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-30T21:17:06.371Z"}, "title": "IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Turbonomic prometurbo agent", "versions": [{"status": "affected", "version": "8.16.0", "lessThanOrEqual": "8.17.6", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster\u2011wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster\u2011wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7270720", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\n\nProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Turbonomic prometurbo agent8.18.0\n\nFollow the installation instructions https://www.ibm.com/docs/en/tarm/8.19.4 from the IBM Turbonomic documentation", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><strong>IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.</strong></p><div><table><tbody><tr><td><strong>Product(s)</strong></td><td><strong>Version(s) number and/or range </strong></td><td><strong>Remediation/Fix/Instructions</strong></td></tr><tr><td>IBM Turbonomic prometurbo agent</td><td>8.18.0</td><td><p>Follow the <a href=\"https://www.ibm.com/docs/en/tarm/8.19.4?topic=configuration-prometheus\" rel=\"nofollow\">installation instructions</a> from the IBM Turbonomic documentation</p></td></tr></tbody></table></div><p></p><p></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}, "credits": [{"lang": "en", "value": "This vulnerability was reported to IBM by Lior Yakim.", "type": "finder"}]}}}