Skip to main content

watsonx.data Intelligence CVE-2025-36333

| EUVDEUVD-2025-210376 MEDIUM
Improper Enforcement of Behavioral Workflow (CWE-841)
2026-06-30 ibm GHSA-4h2c-c5g9-52gg
4.3
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible API flaw requiring authenticated session (PR:L); no confidentiality or availability impact, only limited unauthorized workflow actions affecting integrity.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:15 vuln.today

DescriptionCVE.org

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow.

AnalysisAI

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Technical ContextAI

CWE-841 (Improper Enforcement of Behavioral Workflow) describes a flaw where an application fails to verify that a sequence of operations is performed in the required order or state before permitting sensitive actions. IBM watsonx.data Intelligence is an enterprise AI-powered data lakehouse and governance platform. The affected CPE (cpe:2.3:a:ibm:watsonx.data_intelligence:*:*:*:*:*:*:*:*) covers the application tier across versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. The root cause lies in the platform's workflow engine not enforcing pre-condition checks, allowing authenticated users to invoke actions out of sequence or outside their authorized scope - a class of flaw distinct from traditional authentication bypass but tagged as such because it achieves a similar authorization bypass outcome.

RemediationAI

A vendor-released patch is available per IBM advisory at https://www.ibm.com/support/pages/node/7277801 - administrators should consult this advisory for the exact fixed version and upgrade instructions, as no specific patched version number was included in the available intelligence. Until patching is applied, compensating controls should focus on restricting platform access to only necessary authenticated users, auditing workflow action logs for anomalous out-of-sequence operations, and enforcing the principle of least privilege for watsonx.data Intelligence user roles to reduce the pool of users who could trigger unauthorized workflow actions.

Share

CVE-2025-36333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy