{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3207", "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "state": "PUBLISHED", "assignerShortName": "tibco", "dateReserved": "2026-02-25T15:39:30.380Z", "datePublished": "2026-03-17T18:20:16.934Z", "dateUpdated": "2026-03-17T18:49:27.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco", "dateUpdated": "2026-03-17T18:20:16.934Z"}, "title": "TIBCO BPM Enterprise Remote Code Execution (RCE) Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "affected": [{"vendor": "TIBCO", "product": "TIBCO BPM Enterprise", "modules": ["Java Management Extensions (JMX)"], "versions": [{"status": "affected", "version": "4.3", "lessThan": "5", "versionType": "Patch"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Configuration issue\u00a0in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Configuration issue in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access."}]}], "references": [{"url": "https://community.tibco.com/advisories/tibco-security-advisory-march-17-2026-tibco-bpm-enterprise-cve-2026-3207-r226/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T18:48:39.829764Z", "id": "CVE-2026-3207", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:49:27.505Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3207", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T18:48:39.829764Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:49:05.764Z"}}], "cna": {"title": "TIBCO BPM Enterprise Remote Code Execution (RCE) Vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TIBCO", "modules": ["Java Management Extensions (JMX)"], "product": "TIBCO BPM Enterprise", "versions": [{"status": "affected", "version": "4.3", "lessThan": "5", "versionType": "Patch"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.tibco.com/advisories/tibco-security-advisory-march-17-2026-tibco-bpm-enterprise-cve-2026-3207-r226/"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Configuration issue\u00a0in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access.", "supportingMedia": [{"type": "text/html", "value": "Configuration issue in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}]}], "providerMetadata": {"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco", "dateUpdated": "2026-03-17T18:20:16.934Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3207", "state": "PUBLISHED", "dateUpdated": "2026-03-17T18:49:27.505Z", "dateReserved": "2026-02-25T15:39:30.380Z", "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "datePublished": "2026-03-17T18:20:16.934Z", "assignerShortName": "tibco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:bpm_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "464FB302-4C2F-42A4-95EF-09370F7C74EF", "versionEndExcluding": "4.3.5", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Configuration issue\u00a0in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access."}, {"lang": "es", "value": "Problema de configuraci\u00f3n en Java Management Extensions (JMX) en TIBCO BPM Enterprise versi\u00f3n 4.x permite acceso no autorizado."}], "id": "CVE-2026-3207", "lastModified": "2026-04-02T20:46:14.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2026-03-17T19:16:02.637", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://community.tibco.com/advisories/tibco-security-advisory-march-17-2026-tibco-bpm-enterprise-cve-2026-3207-r226/"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@tibco.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.3,5)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "TIBCO BPM Enterprise", "source": "cna", "vendor": "TIBCO"}, "product": "bpm_enterprise", "vendor": "tibco"}], "analysis": {"en": {"generated_at": "2026-04-03T00:25:23.350686+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch issued by TIBCO for CVE-2026-3207", "Verify that JMX access is restricted to trusted hosts and requires authentication", "Ensure that the JMX ports are not exposed to the public internet or untrusted networks"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via unauthorized JMX access"}, "threat_synthesis": {"affected_systems": "TIBCO BPM Enterprise 4.x installations are affected. The attack applies to any environment where JMX is enabled and accessible without proper authentication.", "description_and_impact": "The flaw arises from a configuration issue in Java Management Extensions (JMX) for TIBCO BPM Enterprise 4.x, permitting unauthorised access without authentication. This weakness (CWE-306) can enable an attacker to execute arbitrary code on the host, compromising confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would typically target the JMX interface over the network, exploiting the lack of authentication to gain remote code execution. No public exploit is documented, but the risk remains due to the high impact of potential code execution."}}}}, "created": "2026-03-18T12:12:59.682515+00:00", "updated": "2026-04-03T09:39:26.806392+00:00", "vendors": ["tibco", "tibco$PRODUCT$bpm_enterprise"]}