CVE-2025-36373 PUBLISHED

Incorrect administrative access control in IBM DataPower Gateway

Assigner: ibm
Reserved: 15.04.2025 Published: 01.04.2026 Updated: 02.04.2026

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
CVSS Score: 4.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	DataPower Gateway 10.6CD
Versions	affected from 10.6.1.0 to 10.6.5.0 (incl.)

Vendor	IBM
Product	DataPower Gateway 10.5.0
Versions	affected from 10.5.0.0 to 10.5.0.20 (incl.)

Vendor	IBM
Product	DataPower Gateway 10.6.0
Versions	affected from 10.6.0.0 to 10.6.0.8 (incl.)

Solutions

Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0

Credits

Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber. finder

References

https://www.ibm.com/support/pages/node/7267833

Problem Types

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE