Description
IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources.
Published: 2026-03-17
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when the caching mechanism in IBM Planning Analytics Local incorrectly marks user‑specific responses as publicly cacheable, enabling an attacker to retrieve sensitive information that should remain private. Key weakness: CWE‑524 Sensitive Information Exposure via Cache. The result is potential data exposure of confidential user data, violating confidentiality.

Affected Systems

Affected versions include IBM Planning Analytics Local 2.1.0 through 2.1.17. The latest fixed release is 2.1.18, available from IBM Fix Central. The product runs on environments such as Microsoft Windows, as indicated by the CPE.

Risk and Exploitability

CVSS score 5.7 indicates moderate severity. EPSS is below 1 %, suggesting low likelihood of exploitation at present, and the flaw is not listed in CISA’s KEV catalog. Attack likely requires the ability to generate a cacheable page, possibly through authenticated requests, though the description does not specify authentication. The risk is moderate in organizations that rely on caching for performance but expose sensitive user data.

Generated by OpenCVE AI on March 19, 2026 at 15:32 UTC.

Remediation

Vendor Solution

Remediation/Fixes It is strongly recommended that you apply the most recent security updates: Affected Product(s) Version(s) Fix IBM Planning Analytics Local 2.1.0 - 2.1.17 IBM Planning Analytics Local 2.1.18 is now available for download from Fix Central IBM Planning Analytics Cloud environment has been remediated.

OpenCVE Recommended Actions

  • Apply IBM Planning Analytics Local 2.1.18 patch from Fix Central
  • Verify that your system is not running any affected version (2.1.0‑2.1.17) and upgrade immediately if it is
  • Review and adjust cache policies to mark sensitive data as private or non‑cacheable
  • Regularly monitor IBM’s security advisories for updates or new mitigations

Generated by OpenCVE AI on March 19, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:planning_analytics_local:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources.
Title IBM Planning Analytics Information Disclosure
First Time appeared Ibm
Ibm planning Analytics Local
Weaknesses CWE-524
CPEs cpe:2.3:a:ibm:planning_analytics_local:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:planning_analytics_local:2.1.17:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm planning Analytics Local
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Planning Analytics Local
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-18T14:49:19.048Z

Reserved: 2025-12-16T22:13:03.714Z

Link: CVE-2025-14806

cve-icon Vulnrichment

Updated: 2026-03-18T14:49:12.236Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T22:16:13.903

Modified: 2026-03-19T14:43:11.403

Link: CVE-2025-14806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:32Z

Weaknesses