CVE-2025-36373
Incorrect administrative access control in IBM DataPower Gateway
CVSS Score
4.1
EPSS Score
0.0%
EPSS Percentile
6th
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
| CWE | CWE-497 |
| Vendor | ibm |
| Product | datapower gateway 10.6cd |
| Published | Apr 1, 2026 |
| Last Updated | Apr 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for ibm datapower gateway 10.6cd
Be the first to know when new medium vulnerabilities affecting ibm datapower gateway 10.6cd are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
IBM / DataPower Gateway 10.6CD
10.6.1.0 ≤ 10.6.5.0
IBM / DataPower Gateway 10.5.0
10.5.0.0 ≤ 10.5.0.20
IBM / DataPower Gateway 10.6.0
10.6.0.0 ≤ 10.6.0.8
Credits
Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber.