Description
An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.
Published: 2026-06-10
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insecure deserialization of objects transmitted between the client and the Layer 7 API Gateway. An attacker who intercepts and modifies the traffic can force the gateway to instantiate arbitrary objects. Because the gateway processes these objects before enforcing security checks, the attacker could break security expectations or trigger remote code execution. The weakness is classified as CWE‑502, insecure deserialization.

Affected Systems

Broadcom Layer 7 API Gateway is affected. No specific version information is provided in the advisory, so all releases of the product are potentially impacted until a fix is released.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV, so the likelihood of widespread exploitation is currently uncertain. The description specifies that an attacker must be able to perform a man‑in‑the‑middle between the client and the gateway, implying a network‑level compromise or compromised endpoint. If such conditions exist, the attacker could deploy malicious payloads that, after deserialization, execute code on the gateway. No public exploit is reported, but the potential for remote code execution warrants careful monitoring.

Generated by OpenCVE AI on June 10, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Use mutual TLS or strict certificate validation to prevent man‑in‑the‑middle traffic from reaching the API Gateway.
  • Block or tightly control network paths that can perform MITM between client applications and the API Gateway, such as applying firewall rules or using a dedicated, isolated network segment.
  • Apply any vendor‑issued patch or update for the Layer 7 API Gateway as soon as it becomes available; if no patch is yet released, monitor Broadcom advisories for updates regularly.

Generated by OpenCVE AI on June 10, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.
Title Insecure Deserialization via MITM in Layer 7 Policy Manager
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: symantec

Published:

Updated: 2026-06-10T06:39:26.498Z

Reserved: 2026-06-09T16:10:09.362Z

Link: CVE-2026-11815

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T07:16:24.713

Modified: 2026-06-10T07:16:24.713

Link: CVE-2026-11815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T07:30:25Z

Weaknesses