Skip to main content

IBM watsonx.data CVE-2025-36327

| EUVDEUVD-2025-210378 MEDIUM
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-06-30 ibm GHSA-32p5-27p9-f97f
6.5
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable bypass requiring a valid low-privileged account; high integrity impact only, with no confidentiality or availability effect per the vulnerability description.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:18 vuln.today

DescriptionCVE.org

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of sever-side security.

AnalysisAI

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Technical ContextAI

CWE-602 (Client-Side Enforcement of Server-Side Security) describes a class of flaw where the application relies on client-side controls - such as hidden UI elements, disabled buttons, or JavaScript validation - to enforce access restrictions that should be validated server-side. An attacker can trivially bypass these by intercepting and modifying HTTP/API requests using a proxy tool, replaying tokens, or crafting raw requests that the server processes without re-validating the caller's privileges. IBM watsonx.data Intelligence is an enterprise AI data lakehouse and data management platform. The CPE (cpe:2.3:a:ibm:watsonx.data_intelligence) covers the confirmed affected versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the flaw is network-reachable, requires no special conditions or user interaction beyond holding a low-privileged account, making exploitation straightforward once authenticated.

RemediationAI

IBM has confirmed a patch is available; consult the vendor advisory at https://www.ibm.com/support/pages/node/7277801 for the exact fixed version and upgrade instructions, as the specific patched release number was not included in the available disclosure data. Organizations should prioritize upgrading all instances running versions 5.2.0, 5.2.1, 5.2.2, or 5.3.0. As an interim compensating control, restrict network access to the watsonx.data Intelligence application to only trusted, authenticated users via firewall or network segmentation - this reduces the attack surface without addressing the root cause. Additionally, audit application access logs for anomalous API calls that deviate from expected user role activity, as this can surface exploitation attempts. Enforce the principle of least privilege for all user accounts to minimize the potential scope of unauthorized actions if the bypass is exercised.

Share

CVE-2025-36327 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy