Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
IBM webMethods API Gateway allows unauthorized file access
CVE-2026-2606
Summary
IBM's API Gateway software fails to properly check user input, which could allow an attacker to access files on the server. This could lead to sensitive data being accessed or modified. Upgrade the software to a fixed version to prevent this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ibm | webmethods_api_gateway | 10.11 | – |
| ibm | webmethods_api_gateway | 10.11 | – |
| ibm | webmethods_api_gateway | 10.15 | – |
| ibm | webmethods_api_gateway | 10.15 | – |
| ibm | webmethods_api_gateway | 11.1 | – |
| ibm | webmethods_api_gateway | 11.1 | – |
Original title
IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to ...
Original description
IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.
nvd CVSS3.1
6.5
Vulnerability type
CWE-22
Path Traversal
- https://www.ibm.com/support/pages/node/7261122 Vendor Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026