IBM webMethods API Management
Moderate fix3 remedies
cpe:2.3:a:ibm:api_management:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 10.11, <= 10.11_Fix32
- >= 10.15, <= 10.15_Fix27
- >= 11.1, <= 11.1_Fix7
IBM webMethods API Gateway and API Management Arbitrary File Read Vulnerability
Vulnerability
Patched
A vulnerability exists in IBM webMethods API Gateway (on-prem) versions 10.11 prior to 10.11_Fix33, 10.15 prior to 10.15_F28, and 11.1 prior to 11.1_F8, as well as in IBM webMethods API Management (on-prem) 10.11 through 10.11_F32, 10.15 through 10.15_F27, and 11.1 through 11.1_F7). The issue arises because the software does not properly validate user input in the url parameter of the /createapi endpoint. This flaw allows attackers to replace the expected https:// schema with a file:// URI schema, potentially leading to unauthorized access and reading of arbitrary files from the server's file system.
Impact
Exploitation of this vulnerability allows for unauthorized arbitrary file read access on the underlying server file system.
Remediation
Users are advised to upgrade to IBM webMethods API Gateway versions 10.11_F33, 10.15_F28, or 11.1_F8. These fixes can be applied using the IBM webMethods Update Manager, available through the IBM Fix Central service.
Added: Mar 3, 2026, 8:20 PM
Updated: Mar 3, 2026, 10:05 PM
Vulnerability Rating
Custom Algorithm
spread
2.2impact
0.8exploitability
5.0remediation
7.7relevance
3.4threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.