Description
IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Published: 2026-06-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Engineering Workflow Management versions 7.0.2 through 7.1 are vulnerable to HTTP header injection due to improper validation of the HOST header. The flaw allows an attacker to insert arbitrary header values, which can lead to cross‑site scripting, cache poisoning, or session hijacking on end users when the application processes or forwards those headers.

Affected Systems

The affected products are IBM Engineering Workflow Management 7.0.2 (interim fix 035), 7.0.3 (interim fix 017), and 7.1 (interim fix 004). Existing installations that have not applied the respective iFix updates are susceptible.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate to high risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request sent directly to the application, exploiting the Host header without requiring authentication. Because the flaw can result in XSS and session hijacking, the risk to confidentiality and integrity is significant for users who trust the application.

Generated by OpenCVE AI on June 22, 2026 at 16:28 UTC.

Remediation

Vendor Solution

Affected Product(s)Version(s)Remediation/Fix/Instructions IBM Engineering Lifecycle Management - Engineering Workflow Management 7.0.2Download and install  iFix036 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later IBM Engineering Lifecycle Management - Engineering Workflow Management 7.0.3Download and install  iFix018 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later IBM Engineering Lifecycle Management - Engineering Workflow Management 7.1.0Download and install  iFix005 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later

OpenCVE Recommended Actions

  • Download and install the applicable IBM iFix (iFix036 for 7.0.2 or later, iFix018 for 7.0.3 or later, iFix005 for 7.1 or later) from the IBM Fix Central links provided.
  • Configure the application’s web server to validate or reject arbitrary Host headers, limiting them to the legitimate domain names used by the product.
  • After applying the fix, monitor application logs for anomalous Host header activity and perform periodic security scans to ensure the vulnerability remains addressed.

Generated by OpenCVE AI on June 22, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Title IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities Host Header Injection observed
First Time appeared Ibm
Ibm engineering Workflow Management
Weaknesses CWE-644
CPEs cpe:2.3:a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.0.2:interim_fix_035:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:interim_fix_017:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:interim_fix_004:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_workflow_management:7.1:interim_fix_004:*:*:*:*:*:*
Vendors & Products Ibm
Ibm engineering Workflow Management
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Engineering Workflow Management
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T17:50:32.985Z

Reserved: 2024-10-28T10:49:59.192Z

Link: CVE-2024-51454

cve-icon Vulnrichment

Updated: 2026-06-22T17:50:27.630Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:45:05Z

Weaknesses
  • CWE-644

    Improper Neutralization of HTTP Headers for Scripting Syntax