CVE-2026-2606 - Vulnerability Details

- IBM webMethods API Management fails to validate user input and enables unauthorized arbitrary file read

Description

IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.

Published: 2026-03-03

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

IBM WebMethods API Gateway fails to validate the URL parameter of the /createapi endpoint, allowing an attacker to supply a file:// URI instead of the expected https:// scheme. This flaw permits reading arbitrary files from the underlying server file system, potentially exposing confidential data, configuration files, or source code. The weakness is a file-path traversal error (CWE-22). The resulting disclosure can compromise system confidentiality.

Affected Systems

IBM WebMethods API Gateway (on‑prem) versions 10.11, 10.15, and 11.1 that have not installed the specific vendor‑provided fixes: 10.11_Fix33, 10.15_Fix28, and 11.1_Fix8. Any installation of these products without the stated patches is vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS 6.5, indicating moderate severity, and has an EPSS score of less than 1%, suggesting low exploitation probability. It is not listed in the CISA KEV catalog. The attack likely requires the attacker to reach the /createapi endpoint, which may be protected by authentication or network segmentation. If the endpoint is reachable and the attacker can craft the URL parameter, they can read any file the server process can access, giving significant potential impact if privilege escalation is feasible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

webMethods API Gateway (on-prem)

affected

Version	Status	Constraints
`10.11`	affected	≤ 10.11_Fix32
`10.15`	affected	≤ 10.15_Fix27
`11.1`	affected	≤ 11.1_Fix7

Configuration 1 [-]

OR	cpe:2.3:a:ibm:webmethods_api_gateway:10.11:-:::on-prem:::*
	cpe:2.3:a:ibm:webmethods_api_gateway:10.11:fix32:::on-prem:::*
	cpe:2.3:a:ibm:webmethods_api_gateway:10.15:-:::on-prem:::*
	cpe:2.3:a:ibm:webmethods_api_gateway:10.15:fix27:::on-prem:::*
	cpe:2.3:a:ibm:webmethods_api_gateway:11.1:-:::on-prem:::*
	cpe:2.3:a:ibm:webmethods_api_gateway:11.1:fix7:::on-prem:::*

No data.

Vendor Product Confidence Versions

Ibm

Webmethods Api Gateway On Prem

95%

Version	Status	Scheme	Platform
`[10.11,10.11_Fix32]`	affected	generic	—
`[10.15,10.15_Fix27]`	affected	generic	—
`[11.1,11.1_Fix7]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability by applying the following fixes: IBM webMethods API Gateway - 10.11_Fix33 IBM webMethods API Gateway - 10.15_Fix28 IBM webMethods API Gateway - 11.1_Fix8 Above mentioned fixes can be installed using the tool - 'IBM webMethods Update Manager', which is available at: https://www.ibm.com/eserver/support/fixes/fixcentral

OpenCVE Recommended Actions

Apply IBM’s recommended fixes for WebMethods API Gateway: 10.11_Fix33, 10.15_Fix28, or 11.1_Fix8 using the IBM Update Manager.
Limit access to the /createapi endpoint to trusted network zones or authenticated users, and configure network segmentation to restrict external exposure.
Enforce strict validation of URL parameters in the gateway configuration, ensuring that only https:// schemes are accepted and rejecting any file:// or other unsupported schemas.

Generated by OpenCVE AI on April 16, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.ibm.com/support/pages/node/7261122

History

Thu, 05 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ibm webmethods Api Gateway
CPEs		cpe:2.3:a:ibm:webmethods_api_gateway:10.11:-:::on-prem:::* cpe:2.3:a:ibm:webmethods_api_gateway:10.11:fix32:::on-prem:::* cpe:2.3:a:ibm:webmethods_api_gateway:10.15:-:::on-prem:::* cpe:2.3:a:ibm:webmethods_api_gateway:10.15:fix27:::on-prem:::* cpe:2.3:a:ibm:webmethods_api_gateway:11.1:-:::on-prem:::* cpe:2.3:a:ibm:webmethods_api_gateway:11.1:fix7:::on-prem:::*
Vendors & Products		Ibm webmethods Api Gateway

Wed, 04 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.
Title		IBM webMethods API Management fails to validate user input and enables unauthorized arbitrary file read
First Time appeared		Ibm Ibm webmethods Api Gateway On Prem
Weaknesses		CWE-22
CPEs		cpe:2.3:a:ibm:webmethods_api_gateway_on_prem:10.11:::::::* cpe:2.3:a:ibm:webmethods_api_gateway_on_prem:10.11_fix3210.15:::::::*
Vendors & Products		Ibm Ibm webmethods Api Gateway On Prem
References		https://www.ibm.com/support/pages/node/7261122
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Ibm Webmethods Api Gateway Webmethods Api Gateway On Prem

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-03-03T19:38:30.609Z

Updated: 2026-03-04T21:11:13.359Z

Reserved: 2026-02-16T22:12:35.250Z

Link: CVE-2026-2606

Vulnrichment

Updated: 2026-03-04T21:11:07.613Z

NVD

Status : Analyzed

Published: 2026-03-03T20:16:49.783

Modified: 2026-03-05T20:55:35.433

Link: CVE-2026-2606

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T14:15:28Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object