Skip to main content

IBM watsonx.data CVE-2025-36145

| EUVDEUVD-2025-209935 MEDIUM
Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
2026-05-26 ibm GHSA-m5w6-r57x-w289
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:26 vuln.today

DescriptionCVE.org

IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions.

AnalysisAI

IBM watsonx.data (IBM Lakehouse) versions 2.2 through 2.3.1 fails to properly restrict inbound and outbound network connections, enabling authenticated low-privilege attackers to transfer or modify files without appropriate authorization controls. The vulnerability carries a CVSS score of 5.4 with network reachability and low attack complexity, though EPSS probability sits at just 0.02% (7th percentile) and SSVC assessment confirms no active exploitation. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM's support portal.

Technical ContextAI

The affected product, IBM watsonx.data (CPE: cpe:2.3:a:ibm:watsonx.data:*:*:*:*:*:*:*:*), is IBM's data lakehouse platform built for hybrid multi-cloud analytics workloads. The root cause is classified under CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints - meaning the platform fails to enforce adequate access control boundaries on the network channels used for data movement and file operations. In a lakehouse architecture, data ingestion, transformation, and storage pipelines routinely open internal and external connections for file transfer operations. When these channels are not properly gated by authorization checks, a session operating under low privileges can leverage them to read or write data outside its intended scope. The CVSS vector AV:N/AC:L/PR:L/UI:N reflects that the flaw is exploitable over the network with minimal privilege and no special conditions needed beyond authentication.

RemediationAI

Apply the vendor-released patch available via IBM's support portal at https://www.ibm.com/support/pages/node/7272498 - this is the primary and recommended remediation. The exact patched version is not independently confirmed from available references beyond 'available from vendor,' so verify the specific target version against the advisory before deploying. As a compensating control prior to patching, restrict network-level access to watsonx.data management and data-plane interfaces using perimeter controls (firewall rules, security groups) to limit which hosts and accounts can initiate inbound and outbound connections to the lakehouse environment. Additionally, audit and enforce least-privilege principles on all watsonx.data accounts to minimize the set of authenticated users who could exploit unrestricted connection channels. Note that network-level restrictions may affect legitimate ETL and data pipeline operations and should be tested in a non-production environment before rollout.

Share

CVE-2025-36145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy