CVE-2026-41954

EUVD-2026-29989
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
f5CNA
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Affected Products (NVD)
VendorProductVersion
f5big-ip_access_policy_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_access_policy_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_advanced_firewall_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_advanced_firewall_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_advanced_web_application_firewall
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_advanced_web_application_firewall
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_analytics
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_analytics
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_application_acceleration_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_application_acceleration_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_application_security_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_application_security_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_application_visibility_and_reporting
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_application_visibility_and_reporting
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_automation_toolchain
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_automation_toolchain
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_carrier-grade_nat
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_carrier-grade_nat
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_container_ingress_services
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_container_ingress_services
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_ddos_hybrid_defender
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_ddos_hybrid_defender
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_domain_name_system
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_domain_name_system
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_edge_gateway
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_edge_gateway
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_fraud_protection_service
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_fraud_protection_service
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_global_traffic_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_global_traffic_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_link_controller
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_link_controller
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_local_traffic_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_local_traffic_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_policy_enforcement_manager
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_policy_enforcement_manager
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_ssl_orchestrator
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_ssl_orchestrator
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_webaccelerator
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_webaccelerator
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_websafe
17.1.0 ≤
𝑥
≤ 17.1.3
f5big-ip_websafe
17.5.0 ≤
𝑥
≤ 17.5.1
f5big-ip_access_policy_manager
21.0.0
f5big-ip_advanced_firewall_manager
21.0.0
f5big-ip_advanced_web_application_firewall
21.0.0
f5big-ip_analytics
21.0.0
f5big-ip_application_acceleration_manager
21.0.0
f5big-ip_application_security_manager
21.0.0
f5big-ip_application_visibility_and_reporting
21.0.0
f5big-ip_automation_toolchain
21.0.0
f5big-ip_carrier-grade_nat
21.0.0
f5big-ip_container_ingress_services
21.0.0
f5big-ip_ddos_hybrid_defender
21.0.0
f5big-ip_domain_name_system
21.0.0
f5big-ip_edge_gateway
21.0.0
f5big-ip_fraud_protection_service
21.0.0
f5big-ip_global_traffic_manager
21.0.0
f5big-ip_link_controller
21.0.0
f5big-ip_local_traffic_manager
21.0.0
f5big-ip_policy_enforcement_manager
21.0.0
f5big-ip_ssl_orchestrator
21.0.0
f5big-ip_webaccelerator
21.0.0
f5big-ip_websafe
21.0.0
f5big-iq_centralized_management
8.4.0
f5big-ip_access_policy_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_advanced_firewall_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_advanced_web_application_firewall
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_analytics
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_application_acceleration_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_application_security_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_application_visibility_and_reporting
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_automation_toolchain
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_carrier-grade_nat
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_container_ingress_services
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_ddos_hybrid_defender
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_domain_name_system
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_edge_gateway
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_fraud_protection_service
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_global_traffic_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_link_controller
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_local_traffic_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_policy_enforcement_manager
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_ssl_orchestrator
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_webaccelerator
16.1.0 ≤
𝑥
≤ 16.1.6
f5big-ip_websafe
16.1.0 ≤
𝑥
≤ 16.1.6
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
f5big-ip
21.0.0 ≤
𝑥
< 21.0.0.1
CNA
f5big-ip
17.5.0 ≤
𝑥
< 17.5.1.4
CNA
f5big-ip
17.1.0 ≤
𝑥
< 17.1.3.1
CNA
f5big-ip
8.4.0 ≤
𝑥
< 8.4.1
CNA
Common Weakness Enumeration
References
https://my.f5.com/manage/s/article/K32950402