Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-accessible API flaw requiring authenticated session (PR:L); no confidentiality or availability impact, only limited unauthorized workflow actions affecting integrity.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow.
AnalysisAI
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.
Technical ContextAI
CWE-841 (Improper Enforcement of Behavioral Workflow) describes a flaw where an application fails to verify that a sequence of operations is performed in the required order or state before permitting sensitive actions. IBM watsonx.data Intelligence is an enterprise AI-powered data lakehouse and governance platform. The affected CPE (cpe:2.3:a:ibm:watsonx.data_intelligence:*:*:*:*:*:*:*:*) covers the application tier across versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. The root cause lies in the platform's workflow engine not enforcing pre-condition checks, allowing authenticated users to invoke actions out of sequence or outside their authorized scope - a class of flaw distinct from traditional authentication bypass but tagged as such because it achieves a similar authorization bypass outcome.
RemediationAI
A vendor-released patch is available per IBM advisory at https://www.ibm.com/support/pages/node/7277801 - administrators should consult this advisory for the exact fixed version and upgrade instructions, as no specific patched version number was included in the available intelligence. Until patching is applied, compensating controls should focus on restricting platform access to only necessary authenticated users, auditing workflow action logs for anomalous out-of-sequence operations, and enforcing the principle of least privilege for watsonx.data Intelligence user roles to reduce the pool of users who could trigger unauthorized workflow actions.
More in Watsonx Data Intelligence
View allClient-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an
Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privi
Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes se
Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to intercept
HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to
Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to i
Temporary denial of service in IBM watsonx.data intelligence 5.2.0 through 5.3.0 is achievable by authenticated users wh
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbo
Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attacker
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210376
GHSA-4h2c-c5g9-52gg