CVE-2026-2606
Received Received - Intake
Improper Input Validation in IBM webMethods API Gateway Enables Arbitrary File Read

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: IBM Corporation

Description
IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapiΒ endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2606
EUVD
EUVD-2026-9314
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
ibm webmethods_api_gateway 10.11
ibm webmethods_api_gateway 10.11
ibm webmethods_api_gateway 10.15
ibm webmethods_api_gateway 10.15
ibm webmethods_api_gateway 11.1
ibm webmethods_api_gateway 11.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The CVE-2026-2606 vulnerability affects IBM webMethods API Management (on-premises) due to improper validation of user-supplied input in the "url" parameter on the /createapi endpoint.'}, {'type': 'paragraph', 'content': 'Specifically, the system fails to restrict the URI schema, allowing an attacker to replace the expected "https://" schema with a "file://" URI schema.'}, {'type': 'paragraph', 'content': 'This flaw enables unauthorized arbitrary file read access on the underlying server file system, representing a path traversal vulnerability categorized under CWE-22.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'An attacker exploiting this vulnerability can gain unauthorized access to arbitrary files on the server\'s file system by manipulating the "url" parameter to use the "file://" URI schema.'}, {'type': 'paragraph', 'content': 'This can lead to a high confidentiality impact as sensitive files might be exposed, although the vulnerability does not affect integrity or availability.'}, {'type': 'paragraph', 'content': 'The vulnerability has a CVSS v3.1 base score of 6.5, indicating a moderate severity with network attack vector, low attack complexity, and requiring low privileges.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the CVE-2026-2606 vulnerability in IBM webMethods API Gateway (on-premises), IBM recommends applying the appropriate fixes for your product version: 10.11_Fix33, 10.15_Fix28, or 11.1_Fix8.'}, {'type': 'paragraph', 'content': "These fixes can be installed using the IBM webMethods Update Manager tool available on IBM's Fix Central website."}, {'type': 'paragraph', 'content': 'No workarounds or alternative mitigations are provided, so applying the official fixes is the immediate recommended action.'}, {'type': 'paragraph', 'content': 'Additionally, customers are advised to subscribe to IBM notifications for future security alerts.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart