Description
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
Published: 2026-04-01
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data disclosure to improperly privileged administrators
Action: Patch promptly
AI Analysis

Impact

IBM DataPower Gateway versions 10.5.0, 10.6.0 and 10.6CD contain an access‑control flaw (CWE‑497) that permits an administrative user to retrieve configuration data and other sensitive system information from domains that the user should not be able to view. This weakness can expose credentials, system settings and other confidential details, thereby compromising the confidentiality of all managed domains.

Affected Systems

Affected products include IBM DataPower Gateway 10.5.0 (10.5.0.0 through 10.5.0.20), 10.6.0 (10.6.0.0 through 10.6.0.8) and 10.6CD (10.6CD 10.6.1.0 through 10.6.5.0). The issue is resolved in the following releases: 10.5.0.21, 10.6.0.9, 10.6.1.0, 10.6.5.0 and 10.6.6.0. Detailed upgrade instructions and fix lists are available at https://www.ibm.com/docs/en/datapower-gateway/10.5.0, https://www.ibm.com/docs/en/datapower-gateway/10.6.0 and https://www.ibm.com/docs/en/datapower-gateway/10.6.x.

Risk and Exploitability

The CVSS base score of 4.1 indicates moderate severity, while an EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrative authentication or control; attackers would need to log in as an administrator or compromise an existing admin account to leverage the flaw, thereby limiting threat exposure primarily to insiders or accounts later hijacked by external actors.

Generated by OpenCVE AI on April 6, 2026 at 21:52 UTC.

Remediation

Vendor Solution

Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0

OpenCVE Recommended Actions

  • Upgrade the affected DataPower Gateway to the latest patched versions (10.5.0.21, 10.6.0.9, 10.6.1.0, 10.6.5.0 or 10.6.6.0) using instructions from IBM’s official documentation URLs provided above.
  • Verify that the administrative interface is protected by strong authentication mechanisms and that only trusted administrators have access.
  • If an upgrade is delayed, isolate administrative access to a secure network segment, enforce strict role‑based access controls and monitor for anomalous cross‑domain data retrieval activities.

Generated by OpenCVE AI on April 6, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Ibm datapower Gateway
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:continuous_delivery:*:*:*
Vendors & Products Ibm datapower Gateway

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
Title Incorrect administrative access control in IBM DataPower Gateway
First Time appeared Ibm
Ibm datapower Gateway 1050
Ibm datapower Gateway 1060
Ibm datapower Gateway 106cd
Weaknesses CWE-497
CPEs cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm datapower Gateway 1050
Ibm datapower Gateway 1060
Ibm datapower Gateway 106cd
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Ibm Datapower Gateway Datapower Gateway 1050 Datapower Gateway 1060 Datapower Gateway 106cd
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T15:49:19.578Z

Reserved: 2025-04-15T21:16:56.325Z

Link: CVE-2025-36373

cve-icon Vulnrichment

Updated: 2026-04-02T15:49:05.681Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:57.897

Modified: 2026-04-06T16:50:00.793

Link: CVE-2025-36373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:25Z

Weaknesses