Description
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.
Published: 2026-06-22
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Datacap version 9.1.7 through 9.1.9 and IBM Datacap Navigator version 9.1.7 through 9.1.9 allow an attacker to directly request URLs that are not exposed in the user interface. This bypasses the intended access controls and permits unauthorized viewing or manipulation of protected resources, potentially exposing sensitive data or configuration information to users who should not have access to them.

Affected Systems

The vulnerable products are IBM Datacap and IBM Datacap Navigator, specifically versions 9.1.7, 9.1.8, and 9.1.9. Administrators of these installations should verify which instances are running those versions and assess any exposure of privileged URLs.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity assessment. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is remote network access to the web application, where an attacker can craft HTTP requests to the exposed URLs. No additional privileges beyond the ability to reach the application are required, but the impact is limited to unauthorized access to resources that are otherwise protected by the UI.

Generated by OpenCVE AI on June 22, 2026 at 16:36 UTC.

Remediation

Vendor Solution

IBM strongly suggests that you address the vulnerabilities now for all affected products/versions listed above by installing IBM Datacap 9.1.9 Interim Fix 008

OpenCVE Recommended Actions

  • Apply IBM Datacap 9.1.9 Interim Fix 008 to all affected IBM Datacap and IBM Datacap Navigator installations.
  • Ensure that direct URL requests to sensitive resources no longer return content; adjust firewall or proxy rules to block undesired paths.
  • Review identity and access management configurations to confirm that only authorized roles can access the protected URLs, and conduct routine penetration testing for access‑control validation.

Generated by OpenCVE AI on June 22, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.
Title Multiple Vulnerabilities in IBM Datacap
First Time appeared Ibm
Ibm datacap
Ibm datacap Navigator
Weaknesses CWE-425
CPEs cpe:2.3:a:ibm:datacap:9.1.7:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datacap:9.1.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datacap:9.1.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datacap_navigator:9.1.7:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datacap_navigator:9.1.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:datacap_navigator:9.1.9:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm datacap
Ibm datacap Navigator
References
Metrics cvssV3_1

{'score': 2.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ibm Datacap Datacap Navigator
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T15:58:05.511Z

Reserved: 2026-05-26T16:26:51.917Z

Link: CVE-2026-9610

cve-icon Vulnrichment

Updated: 2026-06-22T15:58:00.530Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:45:16Z

Weaknesses
  • CWE-425

    Direct Request ('Forced Browsing')