CVE-2025-13491 PUBLISHED

IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to loss of confidentiality []

Assigner: ibm
Reserved: 20.11.2025 Published: 05.02.2026 Updated: 05.02.2026

IBM App Connect Enterprise Certified Container up to 12.19.0 (Continuous Delivery) and 12.0 LTS (Long Term Support) could allow an attacker to access sensitive files or modify configurations due to an untrusted search path.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.1

Product Status

Vendor IBM
Product App Connect Operator
Versions
  • affected from CD:11.2.0 to 11.6.0, 12.1.0 - 12.19.012.0 (incl.)
  • Version LTS:12.0.0 - 12.0.19 is affected
Vendor IBM
Product App Connect EnterpriseCertified Containers Operands
Versions
  • affected from CD:12.0.11.1 to r1 - 12.0.12.5-r1, 13.0.1.0-r1 - 13.0.6.0-r112.0 (incl.)
  • Version LTS:12.0.12-r1 - 12.0.12-r19 is affected

Workarounds

Disable mapping assistance in the DesignerAuthoring component

Solutions

IBM strongly suggests the following:

App Connect Enterprise Certified Container up to 12.19.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 12.20.0 or higher, and ensure that all DesignerAuthoring components are at 13.0.6.1-r1 or higher.  Documentation on the upgrade process is available at https://www.ibm.com/docs/en/app-connect/13.0?topic=releases-upgrading-operator

App Connect Enterprise Certified Container 12.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 12.0.20 or higher, and ensure that all DesignerAuthoring components are at 12.0.12-r20 or higher.  Documentation on the upgrade process is available at https://www.ibm.com/docs/en/app-connect/12.0?topic=umfpr-upgrading-operator-releases

References

Problem Types

  • CWE-426 Untrusted Search Path CWE