Skip to main content

IBM watsonx.data CVE-2025-36336

| EUVDEUVD-2025-210375 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-06-30 ibm GHSA-jxqf-888q-rfrh
5.9
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

On-path network positioning required (AC:H); passive interception yields no integrity or availability impact, only confidentiality loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 21:15 vuln.today

DescriptionCVE.org

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

AnalysisAI

Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to interception by network-adjacent attackers using man-in-the-middle techniques. The CVSS vector (AV:N/AC:H/PR:N) confirms exploitation requires no authentication but does demand the attacker occupy a privileged on-path network position, moderating the overall risk. No public exploit code and no CISA KEV listing have been identified at time of analysis; vendor-released patch is available.

Technical ContextAI

CWE-319 (Cleartext Transmission of Sensitive Information) describes the root cause: the application transmits sensitive data over a network channel without adequate cryptographic protection, making that data readable to any on-path observer. IBM watsonx.data intelligence is an enterprise AI and data lakehouse platform. The affected CPE is cpe:2.3:a:ibm:watsonx.data_intelligence:*:*:*:*:*:*:*:*, covering versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0. The vulnerability likely involves one or more internal or external communication channels - such as inter-service API calls, data ingestion pipelines, or client connections - where TLS is absent or bypassable, allowing passive capture of credentials, query data, or query results.

RemediationAI

Apply the vendor-released patch documented in IBM support advisory https://www.ibm.com/support/pages/node/7277801. The exact fixed version number is not specified in available input data - consult the advisory directly to identify the target upgrade version. If immediate patching is not feasible, deploy compensating controls: enforce TLS encryption on all network paths connecting watsonx.data intelligence services to clients and backends; apply network segmentation to restrict which hosts can communicate with the watsonx.data infrastructure, reducing on-path attacker opportunity; and enable network-level monitoring (e.g., IDS/IPS signatures for unencrypted sensitive data patterns) to detect cleartext transmission. Note that network segmentation reduces exposure but does not eliminate the vulnerability - patching remains the authoritative fix.

Share

CVE-2025-36336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy