CVE-2025-36058
Unknown Unknown - Not Provided

Configuration Information Disclosure in IBM Business Automation Workflow Containers

Vulnerability report for CVE-2025-36058, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-20

Last updated on: 2026-02-17

Assigner: IBM Corporation

Description

IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-20
Last Modified
2026-02-17
Generated
2026-07-06
AI Q&A
2026-01-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 15 associated CPEs
Vendor Product Version / Range
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 25.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 25.0.0
ibm business_automation_workflow 25.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2025-36058, affects IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers versions 24.0.0 through 25.0.0 (including certain interim fixes). It involves the potential disclosure of sensitive configuration information through a config map. This means that sensitive data stored in configuration files could be exposed to unauthorized local users with access to the container environment. The issue is classified under CWE-538, which relates to the insertion of sensitive information into externally accessible files or directories. [1]

Impact Analysis

The impact of this vulnerability is primarily on confidentiality. An attacker with local access to the affected containers could gain access to sensitive configuration information that should remain protected. This could lead to unauthorized disclosure of sensitive data, potentially compromising security settings or credentials stored in the config map. However, the vulnerability does not affect integrity or availability of the system. [1]

Mitigation Strategies

To mitigate this vulnerability, you should apply the appropriate fix pack for your IBM Business Automation Workflow container version: apply fix pack 24.0.0-IF007 for version 24.0.0 series, fix pack 24.0.1-IF006 for version 24.0.1 series, or fix pack 25.0.0-IF003 for version 25.0.0 series. Unsupported or end-of-life versions are not covered, so upgrading to a supported fixed version is recommended. No other workarounds or mitigations are provided. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart