CVE-2026-2606

MEDIUM EPSS 21.8%
Published Mar 3, 20264mo ago · Modified Mar 5, 20264mo ago
6.5 CVSS 3.1
Medium
Find Similar
Published Mar 3, 2026 4mo ago
Last Modified Mar 5, 2026 4mo ago

Description

IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
21.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 6

VendorProductVersionRange
ibmwebmethods_api_gateway10.11any
ibmwebmethods_api_gateway10.11any
ibmwebmethods_api_gateway10.15any
ibmwebmethods_api_gateway10.15any
ibmwebmethods_api_gateway11.1any
ibmwebmethods_api_gateway11.1any

References 1

  • ibm.com https://www.ibm.com/support/pages/node/7261122
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.