Description
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Published: 2026-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized actions via CSRF on trusted sessions
Action: Immediate Patch
AI Analysis

Impact

A flaw in IBM DataPower Gateway allows a cross‑site request forgery attack that can compel a legitimate authenticated user to perform privileged operations without the user’s knowledge. This vulnerability, classified as CWE‑352, permits attackers to inject malicious requests and execute unintended administrative actions within the gateway, potentially leading to configuration tampering or unauthorized data disclosure.

Affected Systems

IBM DataPower Gateway 10.5.0 versions 10.5.0.0 through 10.5.0.20, 10.6.0 versions 10.6.0.0 through 10.6.0.8, and 10.6CD versions 10.6.1.0 through 10.6.5.0 are impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score below 1% suggests low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The description does not specify the exact attack vector, so the likely scenario is an attacker sending a crafted HTTP request—either directly from a malicious web page or via phishing—to a user who is logged into the gateway, exploiting the CSRF weakness to perform privileged actions without additional authentication.

Generated by OpenCVE AI on April 6, 2026 at 19:56 UTC.

Remediation

Vendor Solution

Affected Product(s)Fixed in VersionFix linkIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.6.0  10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0 IBM DataPower Gateway 10.5.0  10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM strongly recommends upgrading to a fixed version

OpenCVE Recommended Actions

  • Upgrade to a fixed build: IBM DataPower Gateway 10.6CD 10.6.6.0, 10.6.0 10.6.0.9, or 10.5.0 10.5.0.21, following IBM’s installation guides.
  • Confirm the installed firmware matches the released version after the upgrade.
  • If an upgrade cannot be performed immediately, limit administrative access to the gateway by firewall or VPN and enforce strong authentication mechanisms.
  • Implement or enforce CSRF protection tokens for web interfaces and APIs if available.
  • Monitor gateway logs for anomalous or automated requests and investigate any suspicious activity.

Generated by OpenCVE AI on April 6, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Ibm datapower Gateway
CPEs cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:continuous_delivery:*:*:*
Vendors & Products Ibm datapower Gateway

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Title IBM DataPower Gateway vulnerable to CSRF
First Time appeared Ibm
Ibm datapower Gateway 1050
Ibm datapower Gateway 1060
Ibm datapower Gateway 106cd
Weaknesses CWE-352
CPEs cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm datapower Gateway 1050
Ibm datapower Gateway 1060
Ibm datapower Gateway 106cd
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Ibm Datapower Gateway Datapower Gateway 1050 Datapower Gateway 1060 Datapower Gateway 106cd
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-03T13:56:04.937Z

Reserved: 2025-04-15T21:16:56.325Z

Link: CVE-2025-36375

cve-icon Vulnrichment

Updated: 2026-04-03T13:49:32.435Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T23:17:01.323

Modified: 2026-04-06T16:30:41.043

Link: CVE-2025-36375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:26Z

Weaknesses