Description
IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Published: 2026-06-30
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Business Automation Manager Open Editions versions 9.0.0 through 9.4.2 can process XML data containing external entity references, a flaw classified as XML External Entity Injection, or CWE-611. When a malicious XML document is submitted, an attacker can force the server to request arbitrary files or URLs, thereby exposing sensitive data or consuming significant memory resources. The consequence is that confidential information may be disclosed and the system may become unresponsive due to high resource consumption.

Affected Systems

The vulnerability affects IBM Business Automation Manager Open Editions. All deployments of the product in the 9.0.0 through 9.4.2 release series are susceptible.

Risk and Exploitability

The CVSS score for this issue is 7.6, indicating a high severity. EPSS data is not available, but the issue is not listed in the CISA KEV catalog. The attack vector is presumed to be remote, requiring an attacker to deliver a crafted XML payload to a processing endpoint. If the application accepts untrusted XML input over a network interface, an adversary could exploit the flaw to read arbitrary files or URLs and to exhaust memory, potentially leading to denial of service. The overall risk is elevated because any accessible XML service in the affected product could be targeted.

Generated by OpenCVE AI on June 30, 2026 at 21:26 UTC.

Remediation

Vendor Solution

Product(s)Version(s) number and/or rangeRemediation/Fix/InstructionsIBM Business Automation Manager Open Editions9.0.0 - 9.4.2Update to 9.5.0 using the following instructions IBM Business Automation Manager Open Editions 9.5 Download Document https://www.ibm.com/support/pages/node/7277082 Note: The reference link is not yet publicly available and will be provided once the GA (General Availability) release is announced.


OpenCVE Recommended Actions

  • Upgrade IBM Business Automation Manager Open Editions to version 9.5.0 using the documented instructions
  • If an immediate upgrade is not feasible, configure the XML parser to disallow external entity resolution and disable DTDs to mitigate the XXE vulnerability
  • Apply any available vendor patch or service pack that addresses the XML external entity processing flaw

Generated by OpenCVE AI on June 30, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Title XXE attack in IBM Business Automation Manager Open Editions
First Time appeared Ibm
Ibm business Automation Manager Open Editions
Weaknesses CWE-611
CPEs cpe:2.3:a:ibm:business_automation_manager_open_editions:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:business_automation_manager_open_editions:9.4.2:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm business Automation Manager Open Editions
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}


Subscriptions

Ibm Business Automation Manager Open Editions
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:32:43.440Z

Reserved: 2026-06-26T17:12:41.205Z

Link: CVE-2026-13449

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference