CVE-2026-2606
IBM webMethods API Management fails to validate user input and enables unauthorized arbitrary file read
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.
| CWE | CWE-22 |
| Vendor | ibm |
| Product | webmethods api gateway (on-prem) |
| Published | Mar 3, 2026 |
| Last Updated | Mar 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for ibm webmethods api gateway (on-prem)
Be the first to know when new medium vulnerabilities affecting ibm webmethods api gateway (on-prem) are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
IBM / webMethods API Gateway (on-prem)
10.11 ≤ 10.11_Fix32 10.15 ≤ 10.15_Fix27 11.1 ≤ 11.1_Fix7