Skip to main content

IBM Business Automation Workflow EUVDEUVD-2026-32521

| CVE-2026-1248 MEDIUM
Error Message Information Leak (CWE-209)
2026-05-27 psirt@us.ibm.com GHSA-gq2r-qh4m-2g7x
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:17 vuln.today

DescriptionCVE.org

IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages.

AnalysisAI

Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.

Technical ContextAI

The vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information), a well-understood class of defect where application exception handlers return internal implementation details to clients rather than sanitized, generic error responses. IBM Business Automation Workflow, a BPM and case management platform available in both containerized (Kubernetes/OpenShift) and traditional on-premise deployment models, fails to strip database-layer metadata from error payloads surfaced to end users. The exposed data is structural - schema artifacts rather than row-level data - but still constitutes sensitive reconnaissance material. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the flaw is reachable over the network with low complexity, requires only a low-privilege authenticated session, and impacts confidentiality alone within the application's own security scope.

RemediationAI

Consult the IBM security advisory at https://www.ibm.com/support/pages/node/7271445 for the specific interim fix or cumulative patch that resolves this issue; the input data identifies the upper boundary of affected versions (e.g., 24.0.0 IF 008, 24.0.1 IF 006, 25.0.0 IF 003, 25.0.1) but does not explicitly name a released fix version - the advisory should be treated as the authoritative source for the remediation target version. Until a patch is applied, a practical compensating control is to restrict authenticated access to the Business Automation Workflow application to only trusted internal users and service accounts, reducing the population of principals who could trigger and observe verbose error messages. Additionally, deploying a web application firewall or reverse proxy configured to suppress or genericize detailed error responses at the network perimeter can prevent schema details from reaching clients even if the underlying defect is not yet patched; note this mitigation does not eliminate the root cause and may complicate legitimate error diagnostics. Log aggregation and monitoring for anomalous error-trigger patterns from authenticated sessions can provide detection coverage in the interim.

Share

EUVD-2026-32521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy