Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-2606
PUBLISHED
More InfoOfficial Page
Assigner-ibm
Assigner Org ID-9a959283-ebb5-44b6-b705-dcc2bbced522
View Known Exploited Vulnerability (KEV) details
Published At-03 Mar, 2026 | 19:38
Updated At-03 Mar, 2026 | 19:38
Rejected At-
▼CVE Numbering Authority (CNA)
IBM webMethods API Management fails to validate user input and enables unauthorized arbitrary file read

IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.

Affected Products
Vendor
IBM CorporationIBM
Product
webMethods API Gateway (on-prem)
CPEs
  • cpe:2.3:a:ibm:webmethods_api_gateway_on_prem:10.11:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:webmethods_api_gateway_on_prem:10.11_fix3210.15:*:*:*:*:*:*:*
Versions
Affected
  • From 10.11 through 10.11_Fix32 (semver)
  • From 10.15 through 10.15_Fix27 (semver)
  • From 11.1 through 11.1_Fix7 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

IBM strongly recommends addressing the vulnerability by applying the following fixes: IBM webMethods API Gateway - 10.11_Fix33 IBM webMethods API Gateway - 10.15_Fix28 IBM webMethods API Gateway - 11.1_Fix8 Above mentioned fixes can be installed using the tool - 'IBM webMethods Update Manager', which is available at: https://www.ibm.com/eserver/support/fixes/fixcentral

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.ibm.com/support/pages/node/7261122
vendor-advisory
patch
Hyperlink: https://www.ibm.com/support/pages/node/7261122
Resource:
vendor-advisory
patch
Details not found