Description
IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Published: 2026-05-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw (CWE-89) that exists in IBM Cloud Pak for Data System – Cyclops in versions 11.3.0.2 through Interim Fix 002. A remote attacker can craft specially formatted SQL statements that are executed against the back‑end database, enabling the attacker to read sensitive data, add new records, modify existing records or delete data altogether. The impact is therefore the loss of confidentiality, integrity, and potentially availability of the database contents.

Affected Systems

The affected products are IBM Cloud Pak for Data System – Cyclops. Version 11.3.0.2 is vulnerable, as is any deployment that has not yet applied Interim Fix 002. The fix is delivered in Cyclops 11.3.1.1-WS-ICPDS-CYCLOPS-fp278500.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk. EPSS is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote, through the Cyclops service interface, where an attacker with network connectivity could send malicious queries. Exploitation requires only network access to the service and does not appear to require privileged credentials, making the attack path relatively straightforward for an external adversary.

Generated by OpenCVE AI on May 26, 2026 at 18:27 UTC.

Remediation

Vendor Solution

Fixed versionFix linkIBM Cloud Pak for Data System - Cyclops 11.3.1.1-WS-ICPDS-CYCLOPS-fp278500 https://www.ibm.com/support/fixcentral/swg/downloadFixes

OpenCVE Recommended Actions

  • Apply the IBM fix for Cyclops version 11.3.1.1-WS-ICPDS-CYCLOPS-fp278500 to eliminate the SQL injection vector.
  • Restrict network access to the Cyclops API endpoints, allowing only trusted IP ranges or VPN connections to reduce exposure to remote attackers.
  • Enable comprehensive audit logging on database interactions to detect any anomalous query activity and support forensic investigation.

Generated by OpenCVE AI on May 26, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Title Vulnerabilities exists in IBM Cloud Pak for Data System (CPDS 1.0) - Cyclops.
First Time appeared Ibm
Ibm cloud Pak For Data System Cyclops
Weaknesses CWE-89
CPEs cpe:2.3:a:ibm:cloud_pak_for_data_system___cyclops:11.3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:cloud_pak_for_data_system___cyclops:interim:interim_fix_002:*:*:*:*:*:*
Vendors & Products Ibm
Ibm cloud Pak For Data System Cyclops
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Ibm Cloud Pak For Data System Cyclops
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T17:38:43.369Z

Reserved: 2025-04-15T21:16:41.801Z

Link: CVE-2025-36220

cve-icon Vulnrichment

Updated: 2026-05-26T17:37:40.471Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:29.143

Modified: 2026-05-26T19:06:14.330

Link: CVE-2025-36220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:15:14Z

Weaknesses