Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system
AnalysisAI
Directory traversal in IBM InfoSphere Optim Test Data Fabrication (versions 1.0.0 through 1.0.2.7) lets a remote, unauthenticated attacker read arbitrary files from the host by sending a crafted URL containing '../' sequences. The flaw is purely an information-disclosure issue - confidentiality is impacted with no integrity or availability effect - and CVSS rates it 7.5 (High). There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as none, though it flags the issue as automatable.
Technical ContextAI
IBM InfoSphere Optim Test Data Fabrication is a data-management product used to generate and provision synthetic/masked test datasets for non-production database environments. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. path traversal): the application's web-facing component takes a user-supplied path or filename in a URL request and uses it to access files on disk without adequately canonicalizing or constraining it to an intended base directory. By embedding 'dot dot slash' (/../) traversal sequences, an attacker can escape the intended directory and reference files elsewhere on the filesystem. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, the vulnerable file-serving logic is reachable over the network with no authentication and no user interaction.
RemediationAI
Apply the fix described in IBM's advisory at https://www.ibm.com/support/pages/node/7272653, which is the authoritative source for the patched build and interim fix/APAR details; an exact fixed version number was not present in the available data, so treat this as patch available per vendor advisory and confirm the target version from that page before deploying. As compensating controls until patching, restrict network exposure of the Optim TDF web interface by placing it behind a VPN or firewall so it is not internet-reachable (trade-off: may break remote/automated access for legitimate integrations), and deploy a reverse proxy or WAF rule to reject requests whose path contains traversal sequences such as '../', '..%2f', or encoded variants (trade-off: pattern-based filtering can be bypassed by alternate encodings and may block legitimate URLs with similar substrings). Additionally, run the service under a least-privilege OS account and tighten filesystem permissions so that even a successful traversal exposes minimal sensitive data, and monitor web/access logs for traversal patterns. These controls reduce but do not eliminate exposure and are not a substitute for the vendor fix.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32274
GHSA-j7mj-2mr3-62xh