{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22598", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.533Z", "datePublished": "2026-01-21T20:51:52.972Z", "dateUpdated": "2026-01-21T21:35:27.687Z"}, "containers": {"cna": {"title": "ManageIQ vulnerable to DoS Attack when creating TimeProfiles", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3"}, {"name": "https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch", "tags": ["x_refsource_MISC"], "url": "https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch"}, {"name": "https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113", "tags": ["x_refsource_MISC"], "url": "https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113"}], "affected": [{"vendor": "ManageIQ", "product": "manageiq", "versions": [{"version": "< radjabov-2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T20:51:52.972Z"}, "descriptions": [{"lang": "en", "value": "ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually."}], "source": {"advisory": "GHSA-m832-x3g8-63j3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T21:35:16.904885Z", "id": "CVE-2026-22598", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T21:35:27.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T21:35:16.904885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T21:35:22.036Z"}}], "cna": {"title": "ManageIQ vulnerable to DoS Attack when creating TimeProfiles", "source": {"advisory": "GHSA-m832-x3g8-63j3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ManageIQ", "product": "manageiq", "versions": [{"status": "affected", "version": "< radjabov-2"}]}], "references": [{"url": "https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3", "name": "https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch", "name": "https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113", "name": "https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T20:51:52.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22598", "state": "PUBLISHED", "dateUpdated": "2026-01-21T21:35:27.687Z", "dateReserved": "2026-01-07T21:50:39.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-21T20:51:52.972Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually."}, {"lang": "es", "value": "ManageIQ es una plataforma de gesti\u00f3n de c\u00f3digo abierto. Se encontr\u00f3 una falla en la API de ManageIQ anterior a la versi\u00f3n radjabov-2 donde se pod\u00eda crear un TimeProfile malformado, lo que provocaba que las solicitudes posteriores de la interfaz de usuario (UI) y la API agotaran el tiempo de espera, lo que llevaba a una denegaci\u00f3n de servicio. La versi\u00f3n radjabov-2 contiene un parche. Tambi\u00e9n se puede aplicar el parche manualmente."}], "id": "CVE-2026-22598", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-21T21:16:09.753", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch"}, {"source": "security-advisories@github.com", "url": "https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113"}, {"source": "security-advisories@github.com", "url": "https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:11:34.595003+00:00", "value": {"mitigation_remediation": ["Upgrade to ManageIQ radjabov-2 or a later release where the patch is integrated", "If an upgrade is delayed, apply the manual patch from the provided commit to recreate the validation in older versions", "Implement API input validation or rate limiting to block malformed TimeProfile creation attempts and monitor system logs for abuse"], "summary": {"action": "Apply Fix", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue applies to the ManageIQ open\u2011source management platform in all releases prior to the radjabov-2 branch, which introduced the necessary guardrails. The affected versions are the default releases until radjabov-2 is deployed, while radjabov-2 and later releases contain a patch that deletes the vulnerability.\n", "description_and_impact": "A malformed TimeProfile in ManageIQ can trigger timeouts on both the user interface and subsequent API calls, effectively freezing the platform and preventing legitimate users from accessing services. The vulnerability stems from improper input validation, allowing an attacker to craft a TimeProfile that causes the system to hang during processing. If the fault is exploited repeatedly, overall availability of the management platform is degraded, potentially impacting multiple applications that depend on it for configuration and monitoring.\n", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.1, indicating high severity, but its EPSS score is reported as under one percent, implying exploitation is currently unlikely. The weakness is identified as CWE\u201120 (Improper Input Validation). Because the flaw is triggered through the public API, an attacker only needs to send a crafted TimeProfile payload, with no additional system privilege required. The KEV status is not listed, meaning no known commercial exploits have been reported yet, though the impact on availability makes it a high\u2011risk issue for exposed installations."}}}}, "created": "2026-01-22T10:08:35.527741+00:00", "updated": "2026-04-18T04:15:05.880874+00:00", "vendors": ["manageiq", "manageiq$PRODUCT$manageiq"]}