Skip to main content

InfoSphere Optim TDF CVE-2026-3366

| EUVDEUVD-2026-32274 HIGH
Path Traversal (CWE-22)
2026-05-27 psirt@us.ibm.com GHSA-j7mj-2mr3-62xh
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:57 vuln.today

DescriptionCVE.org

IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system

AnalysisAI

Directory traversal in IBM InfoSphere Optim Test Data Fabrication (versions 1.0.0 through 1.0.2.7) lets a remote, unauthenticated attacker read arbitrary files from the host by sending a crafted URL containing '../' sequences. The flaw is purely an information-disclosure issue - confidentiality is impacted with no integrity or availability effect - and CVSS rates it 7.5 (High). There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as none, though it flags the issue as automatable.

Technical ContextAI

IBM InfoSphere Optim Test Data Fabrication is a data-management product used to generate and provision synthetic/masked test datasets for non-production database environments. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. path traversal): the application's web-facing component takes a user-supplied path or filename in a URL request and uses it to access files on disk without adequately canonicalizing or constraining it to an intended base directory. By embedding 'dot dot slash' (/../) traversal sequences, an attacker can escape the intended directory and reference files elsewhere on the filesystem. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, the vulnerable file-serving logic is reachable over the network with no authentication and no user interaction.

RemediationAI

Apply the fix described in IBM's advisory at https://www.ibm.com/support/pages/node/7272653, which is the authoritative source for the patched build and interim fix/APAR details; an exact fixed version number was not present in the available data, so treat this as patch available per vendor advisory and confirm the target version from that page before deploying. As compensating controls until patching, restrict network exposure of the Optim TDF web interface by placing it behind a VPN or firewall so it is not internet-reachable (trade-off: may break remote/automated access for legitimate integrations), and deploy a reverse proxy or WAF rule to reject requests whose path contains traversal sequences such as '../', '..%2f', or encoded variants (trade-off: pattern-based filtering can be bypassed by alternate encodings and may block legitimate URLs with similar substrings). Additionally, run the service under a least-privilege OS account and tighten filesystem permissions so that even a successful traversal exposes minimal sensitive data, and monitor web/access logs for traversal patterns. These controls reduce but do not eliminate exposure and are not a substitute for the vendor fix.

Share

CVE-2026-3366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy