Skip to main content

Planning Analytics Local CVE-2025-14806

| EUVDEUVD-2025-208810 MEDIUM
Use of Cache Containing Sensitive Information (CWE-524)
2026-03-17 ibm
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 17, 2026 - 22:08 euvd
EUVD-2025-208810
Analysis Generated
Mar 17, 2026 - 22:08 vuln.today
Patch released
Mar 17, 2026 - 22:08 nvd
Patch available
CVE Published
Mar 17, 2026 - 21:50 nvd
MEDIUM 5.7

DescriptionCVE.org

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources.

AnalysisAI

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain a cache poisoning vulnerability (CWE-524) where attackers can manipulate the caching mechanism to store and serve sensitive, user-specific responses as publicly cacheable resources, resulting in information disclosure to unauthorized users. The vulnerability requires low attack complexity and user interaction but only affects confidentiality with a CVSS score of 5.7. A patch is available from the vendor, and this represents a moderate-priority issue requiring prompt remediation in production environments handling sensitive analytical data.

Technical ContextAI

This vulnerability stems from improper cache control implementation in IBM Planning Analytics Local (confirmed via CPE cpe:2.3:a:ibm:planning_analytics_local:*:*:*:*:*:*:*:*), classified under CWE-524 (Uncontrolled Write to File with Dangerous File Extensions). The root cause involves the HTTP caching mechanism failing to properly mark user-specific responses as non-cacheable, allowing responses containing sensitive planning, analytical, or user-profile data to be stored in shared caches (browser, intermediary, or CDN proxies). Attackers exploit this by crafting requests that generate user-specific responses, which the cache then incorrectly treats as public content. This is a cache poisoning attack that violates HTTP Cache-Control semantics and authentication boundaries.

RemediationAI

Upgrade IBM Planning Analytics Local to version 2.1.18 or later as soon as operationally feasible; patch downloads and detailed instructions are available in the IBM security advisory at https://www.ibm.com/support/pages/node/7263581. As an interim compensating control, enforce strict HTTP Cache-Control headers (Cache-Control: private, no-store) at the reverse proxy or application gateway level for all Planning Analytics Local endpoints, implement HTTPS with HSTS (Strict-Transport-Security) to prevent downgrade attacks, and restrict network access to Planning Analytics to internal networks or VPN-connected users only. Disable shared caching proxies for Planning Analytics traffic if feasible, or configure them to respect all private/no-store directives. Monitor web server and proxy logs for suspicious cache access patterns (repeated requests from different sources for user-specific URLs) and consider implementing content security policies to limit cache visibility.

CVE-2024-35143 CRITICAL
9.1 Aug 04

IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. Rated critical severity (CVSS 9.1), this vulnerab

CVE-2020-4367 HIGH
7.5 Jun 02

IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decr

CVE-2025-33004 MEDIUM
6.5 Jun 01

IBM Planning Analytics Local 2.0 and 2.1 could allow a privileged user to delete files from directories due to improper

CVE-2026-1267 MEDIUM
6.5 Mar 17

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) th

CVE-2025-33005 MEDIUM
6.3 Jun 01

IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated u

CVE-2020-4503 MEDIUM
6.1 Jun 02

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerabi

CVE-2020-4366 MEDIUM
6.1 Jun 02

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerabi

CVE-2018-1676 MEDIUM
6.1 Jul 06

IBM Planning Analytics 2.0.0 through 2.0.4 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this

CVE-2025-25044 MEDIUM
5.4 Jun 01

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticat

CVE-2024-31908 MEDIUM
5.4 May 31

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 5.4),

CVE-2024-31907 MEDIUM
5.4 May 31

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this v

CVE-2024-31889 MEDIUM
5.4 May 31

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this v

Share

CVE-2025-14806 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy