Pre-Auth RCE in IBM Db2 (CVE-2026-10109): Patch the Core Database Now
IBM Db2, the enterprise core database, has a flaw (CVE-2026-10109): tampering with the pre-login connection exchange runs commands on the server with no authentication. Rated 9.8; IBM has shipped special fix builds β apply now.
Table of contents
IBM Db2, the enterprise core database, has a flaw (CVE-2026-10109): tampering with the pre-login connection exchange runs commands on the server with no authentication. Rated 9.8; IBM has shipped special fix builds β apply now.
A critical flaw has been found in IBM Db2, the enterprise database that has underpinned the core systems of banks, government agencies, and large companies for decades. By merely abusing the exchange that happens before you enter login details, an attacker can take over the server without passing authentication. The flaw is tracked as CVE-2026-10109, rated 9.8 out of 10 (CVSS v3.1), among the highest possible. IBM published its security bulletin dated June 30, 2026.
The most dangerous part is that the attack needs no login (pre-authentication). It targets not a feature only legitimate users can reach, but the very entrance of a connection that hasn't yet authenticated. A database is where an organization's most important information gathers, so being taken over there without authentication is close to a worst case. IBM has already distributed special fix builds, so any organization running an affected version should act now.
| Item | Details |
|---|---|
| CVE ID | CVE-2026-10109 |
| Affected software | IBM Db2 (Linux/UNIX/Windows) 11.5.0β11.5.9 / 12.1.0β12.1.4 |
| Severity (CVSS) | 9.8 (v3.1) = top tier |
| Attack prerequisite | Reaching the Db2 connection port (no login, no interaction) |
| Mitigation now | Apply IBM's special fix build (temporarily close the port from outside) |
* "Pre-authentication" means the stage before a username or password is checked. That should be like the "front porch" β even if attacked, no one should get inside β yet here the takeover succeeds right there on the porch.
Who is at risk, and what is the damage?
The ones who go after this are attackers scanning the network for Db2 connection ports. A database accepts connections from other systems and responds, so its connection window (port) is open. Attackers scan servers worldwide and target any port where Db2 responds the moment they find it. Since this flaw needs no login, any server they can reach becomes a target. Even if you believe it's only on the internal network, a misconfiguration or a breach of another system used as a stepping stone can let attackers reach it from outside.
What the attacker does is send crafted traffic into the pre-authentication "connection negotiation" and exploit a gap in that processing to run commands on the server. When Db2 connects with a client, it first goes through a procedure to align how they communicate. This initial exchange is flawed, so the server executes commands slipped into content that should be treated as mere data. Because it's before any login attempt, the attack succeeds even against someone with no legitimate account.
Once arbitrary commands can run, the server is effectively taken over. A database gathers an organization's most important data β customer information, transaction records, credentials. That leads straight to wholesale theft, tampering, being encrypted and made unusable (ransomware), or a foothold into other systems. The direct targets are the companies and agencies operating Db2, but the ones ultimately affected are the ordinary people whose personal data sits there. In the sense that the very vault holding your data is what gets hit, this is not only the operators' problem.
What IBM Db2 is, and why it concerns so many organizations
IBM Db2 is an enterprise database management system for storing and processing large volumes of data safely and quickly. A long-lived product dating to 1983, it has been used especially in the core systems of financial institutions such as banks, insurers, and securities firms, as well as government agencies and large enterprises. Valued for the reliability to handle millions of transactions a day without stopping, it often underpins the kind of systems that "must never go down."
A hallmark of such core databases is that they are invisible from the front yet sit at the heart of operations. Rather than a screen users touch directly, they hold all the data behind it. That's exactly why keeping them running takes priority and updates (patching) tend to be deferred. The "it's running, don't touch it" mindset is what leaves old flaws unaddressed. A pre-authentication takeover like this one strikes precisely those deferred databases, forcing operators into the hard call of "do we take it down to patch?"
Why are you taken over before you even connect?
Technically this flaw is a type called code injection (CWE-94): slipping commands into input that should be treated as mere data, and getting the program to execute them by mistake.
When Db2 communicates with a client (the side connecting in), it uses a convention (protocol) called DRDA. DRDA stands for "Distributed Relational Database Architecture," a shared set of rules for programs and databases in different locations to talk. At the start of a connection, they go through a "handshake" to align how and on what terms they communicate, but according to IBM's writeup, the part that processes connection parameters during this pre-authentication handshake was flawed. So when an attacker slips commands into that negotiation, Db2 executes them.
The depth of the problem is that this abuse works before any login attempt (pre-auth). The attacker doesn't even need a valid ID or password; reaching the Db2 port and starting the handshake is enough. That's why the severity is rated at the top tier of 9.8. The German tech outlet heise also highlighted the danger of striking this "first handshake with the client."
Is my server at risk? A quick situation chart
Your risk depends heavily on whether your version is in scope and from where the Db2 connection port can be reached. Match your situation against the chart.
| Your situation | Risk | What to do now |
|---|---|---|
| Affected version, port reachable from the internet | Highest (can be taken over unauth) | Apply the special build now. If not possible, block external access |
| Affected version, used only on internal network | High (insiders / pivots can abuse) | Apply promptly. Restrict where connections come from |
| Unsure whether you use Db2 | Unknown = check (often runs behind core systems) | Inventory first. Confirm the product and version |
| Already applied the special build | Low (this flaw is fixed) | Check for signs of intrusion; keep updating going forward |
* In scope are IBM Db2 (Linux/UNIX/Windows) 11.5.0β11.5.9 and 12.1.0β12.1.4. IBM distributes special builds with the fix on Fix Central, which can be applied to each affected level. If you use a cloud edition or Db2 bundled inside another IBM product, also check the vendor's guidance.
What you should do now
The top priority is to apply IBM's special fix build. This flaw is fixed by that update. Following the IBM security bulletin, get the special build matching your version from Fix Central and apply it. Flaws that allow unauthenticated takeover are hunted automatically right after disclosure, so this is a "do it now," not a "at the next scheduled maintenance" matter.
If, because it's a core database, you "can't take it down right away," consider a stopgap of making the Db2 connection port unreachable from outside. Don't expose it directly to the internet, narrow the devices and networks that can connect to the bare minimum, and limit source addresses with a firewall. Since the attack requires reaching the Db2 port, simply cutting the path of reach greatly reduces the risk.
Also check whether you have already been breached. Look for unfamiliar process launches, suspicious outbound traffic, or unfamiliar files on the database server. As of this article, we have not confirmed any public report (such as a listing in the U.S. CISA Known Exploited Vulnerabilities catalog, KEV) of real-world exploitation, but core databases are high-value to attackers, so it's safest to prepare on the assumption that abuse will spread. The situation can change, so check official sources regularly.
Frequently asked questions
I don't think we use Db2. Does this concern us?
Not directly. However, Db2 is often used behind core systems that users never touch, and "we didn't realize it was running somewhere in our environment" can happen. It's reassuring to inventory your systems and check once whether Db2 is in use. Db2 is also sometimes bundled inside other IBM products, so check the makeup of the products you use too.
Which versions are dangerous, and how do I fix it?
In scope are IBM Db2 (Linux/UNIX/Windows) 11.5.0β11.5.9 and 12.1.0β12.1.4. IBM distributes special builds with the fix on Fix Central, which can be applied to each affected level. You can check your version with Db2's admin commands. If you use a cloud edition or a Db2 embedded in another IBM product, follow that vendor's guidance to update.
I can't take it down right away. What should I do?
For now, make the Db2 connection port unreachable from outside. Don't expose it directly to the internet, narrow the networks and devices that can connect to the minimum, and limit source addresses with a firewall. Since this attack requires reaching the Db2 port, cutting the path of reach alone greatly lowers the risk. Then apply the special build at a time you can stop the system in a planned way.
Is it already being exploited?
As of this article, we have not confirmed any public report (such as a CISA KEV listing) that this flaw has been used in real attacks. That said, core databases are high-value to attackers, and unauthenticated-takeover flaws tend to be hunted right after disclosure. It's safest to finish patching before abuse spreads. The situation can change, so check official sources regularly.
Summary
CVE-2026-10109 is a flaw in IBM Db2, the enterprise core database: it fails to safely process the first connection exchange with a client (the DRDA handshake), and it can be abused before any login attempt. By connecting to the Db2 port and tampering with the pre-authentication exchange, an attacker can run any command on the server. Because a database gathers an organization's most important information, the damage from a takeover is immense. The severity is rated at the top tier of 9.8.
The fix is clear: apply IBM's special fix build immediately. If you can't take it down right away, buy time by making the Db2 connection port unreachable from outside, and check whether you've already been breached. "Can't stop it, so put it off" is the most dangerous choice. Precisely because it's the heart of your core systems, acting now is what prevents the damage.
Update history
- βΈJuly 1, 2026: First published (created following the NVD entry dated June 30, 2026 and the IBM security bulletin).
References
- γ»IBM β Security Bulletin: IBM Db2 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling (CVE-2026-10109)
- γ»NVD β CVE-2026-10109
- γ»IBM β Published Security Vulnerabilities for Db2 (special build information)
- γ»heise online β Critical Client Handshake Vulnerability Threatens IBM Db2
- γ»MITRE β CWE-94 (Code Injection)
Makoto Horikawa
Backend Engineer / AWS / Django