CVE-2025-36058
Unknown Unknown - Not Provided
Configuration Information Disclosure in IBM Business Automation Workflow Containers

Publication date: 2026-01-20

Last updated on: 2026-02-17

Assigner: IBM Corporation

Description
IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-36058
EUVD
EUVD-2026-3372
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 24.0.1
ibm business_automation_workflow 25.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 24.0.0
ibm business_automation_workflow 25.0.0
ibm business_automation_workflow 25.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2025-36058, affects IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers versions 24.0.0 through 25.0.0 (including certain interim fixes). It involves the potential disclosure of sensitive configuration information through a config map. This means that sensitive data stored in configuration files could be exposed to unauthorized local users with access to the container environment. The issue is classified under CWE-538, which relates to the insertion of sensitive information into externally accessible files or directories. [1]

Impact Analysis

The impact of this vulnerability is primarily on confidentiality. An attacker with local access to the affected containers could gain access to sensitive configuration information that should remain protected. This could lead to unauthorized disclosure of sensitive data, potentially compromising security settings or credentials stored in the config map. However, the vulnerability does not affect integrity or availability of the system. [1]

Mitigation Strategies

To mitigate this vulnerability, you should apply the appropriate fix pack for your IBM Business Automation Workflow container version: apply fix pack 24.0.0-IF007 for version 24.0.0 series, fix pack 24.0.1-IF006 for version 24.0.1 series, or fix pack 25.0.0-IF003 for version 25.0.0 series. Unsupported or end-of-life versions are not covered, so upgrading to a supported fixed version is recommended. No other workarounds or mitigations are provided. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart