Description
IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.
Published: 2026-05-26
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM watsonx.data versions 2.2 through 2.3.1 do not properly restrict inbound and outbound connections, allowing an attacker to freely transfer or modify files, potentially compromising data integrity and confidentiality.

Affected Systems

The affected product is IBM watsonx.data, specifically versions 2.2.0 and 2.2.* as well as 2.3.1. Upgrading to watsonx.data 2.3.x or to CPD 5.3.x will resolve the issue.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating a medium severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploits at this time. The likely attack vector involves unauthorized remote access over unrestricted inbound or outbound network connections, meaning an attacker on the same network or with network reach to the system could exploit the lack of connection restriction to transfer or alter files.

Generated by OpenCVE AI on May 26, 2026 at 18:28 UTC.

Remediation

Vendor Solution

The product needs to be installed or upgraded to the latest available level watsonx.data 2.3.x or watsonx.data on CPD 5.3.x.  Installation/upgrade instructions can be found here: https://www.ibm.com/docs/en/software-hub/5.3.x?topic=watsonxdata-installing

OpenCVE Recommended Actions

  • Apply the latest watsonx.data upgrade to version 2.3.x or install CPD 5.3.x as recommended by IBM.
  • Restrict inbound and outbound connections for the watsonx.data service using firewall or network segmentation to limit access to authorized hosts only.
  • Enable file access logging and regularly review logs for abnormal transfer or modification activity to detect potential exploitation attempts.

Generated by OpenCVE AI on May 26, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.
Title Multiple Vulnerabilities in watsonx.data
First Time appeared Ibm
Ibm watsonxdata
Weaknesses CWE-923
CPEs cpe:2.3:a:ibm:watsonxdata:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:watsonxdata:2.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:watsonxdata:2.3.1:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm watsonxdata
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Watsonxdata
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T17:42:05.425Z

Reserved: 2025-04-15T21:16:19.940Z

Link: CVE-2025-36145

cve-icon Vulnrichment

Updated: 2026-05-26T17:41:56.899Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:28.870

Modified: 2026-05-26T19:06:14.330

Link: CVE-2025-36145

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:30:12Z

Weaknesses