Skip to main content

Business Automation Manager CVE-2026-13449

| EUVDEUVD-2026-40389 CRITICAL
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-30 psirt@us.ibm.com GHSA-v868-4m83-h5w3
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated remote XML submission to a default parser gives AV:N/AC:L/PR:N/UI:N; XXE yields file disclosure (C:H) and memory-exhaustion DoS (A:H) with no integrity impact (I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 02, 2026 - 18:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:37 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 18:37 NVD
HIGH CRITICAL
CVSS changed
Jul 02, 2026 - 18:37 NVD
7.6 (HIGH) 9.1 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 20:36 vuln.today

DescriptionNVD

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

AnalysisAI

XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed BAMOE XML endpoint
Delivery
Craft XML with external entity or expanding DTD
Exploit
Submit malicious XML to parser
Execution
Parser resolves entity, reads local file or exhausts memory
Impact
Exfiltrate sensitive data or degrade availability

Vulnerability AssessmentAI

Exploitation Exploitation requires reaching a BAMOE 9.0.0-9.4.2 interface that parses attacker-supplied XML (its process/decision model ingestion or XML-accepting APIs) and that the underlying parser has external-entity/DTD resolution enabled - the CWE-611 condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to elevated theoretical severity but modest immediate urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to a BAMOE endpoint that accepts XML sends a crafted document containing an external entity referencing a local file (e.g. an OS credential or configuration file), causing the server to return or leak the file contents; alternatively the attacker submits a deeply nested/expanding entity to exhaust server memory. …
Remediation Consult the IBM advisory at https://www.ibm.com/support/pages/node/7278532 for the fixed release and upgrade beyond the affected 9.0.0-9.4.2 range; a patch is available per the vendor advisory, though an exact fixed version number is not stated in the available data and should be confirmed directly from IBM before planning the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running IBM Business Automation Manager 9.0.0-9.4.2 and document network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy