Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-reachable bypass requiring a valid low-privileged account; high integrity impact only, with no confidentiality or availability effect per the vulnerability description.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of sever-side security.
AnalysisAI
Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.
Technical ContextAI
CWE-602 (Client-Side Enforcement of Server-Side Security) describes a class of flaw where the application relies on client-side controls - such as hidden UI elements, disabled buttons, or JavaScript validation - to enforce access restrictions that should be validated server-side. An attacker can trivially bypass these by intercepting and modifying HTTP/API requests using a proxy tool, replaying tokens, or crafting raw requests that the server processes without re-validating the caller's privileges. IBM watsonx.data Intelligence is an enterprise AI data lakehouse and data management platform. The CPE (cpe:2.3:a:ibm:watsonx.data_intelligence) covers the confirmed affected versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the flaw is network-reachable, requires no special conditions or user interaction beyond holding a low-privileged account, making exploitation straightforward once authenticated.
RemediationAI
IBM has confirmed a patch is available; consult the vendor advisory at https://www.ibm.com/support/pages/node/7277801 for the exact fixed version and upgrade instructions, as the specific patched release number was not included in the available disclosure data. Organizations should prioritize upgrading all instances running versions 5.2.0, 5.2.1, 5.2.2, or 5.3.0. As an interim compensating control, restrict network access to the watsonx.data Intelligence application to only trusted, authenticated users via firewall or network segmentation - this reduces the attack surface without addressing the root cause. Additionally, audit application access logs for anomalous API calls that deviate from expected user role activity, as this can surface exploitation attempts. Enforce the principle of least privilege for all user accounts to minimize the potential scope of unauthorized actions if the bypass is exercised.
More in Watsonx Data Intelligence
View allStored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privi
Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes se
Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to intercept
HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to
Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to i
Temporary denial of service in IBM watsonx.data intelligence 5.2.0 through 5.3.0 is achievable by authenticated users wh
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbo
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution
Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attacker
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210378
GHSA-32p5-27p9-f97f