Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages.
AnalysisAI
Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.
Technical ContextAI
The vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information), a well-understood class of defect where application exception handlers return internal implementation details to clients rather than sanitized, generic error responses. IBM Business Automation Workflow, a BPM and case management platform available in both containerized (Kubernetes/OpenShift) and traditional on-premise deployment models, fails to strip database-layer metadata from error payloads surfaced to end users. The exposed data is structural - schema artifacts rather than row-level data - but still constitutes sensitive reconnaissance material. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the flaw is reachable over the network with low complexity, requires only a low-privilege authenticated session, and impacts confidentiality alone within the application's own security scope.
RemediationAI
Consult the IBM security advisory at https://www.ibm.com/support/pages/node/7271445 for the specific interim fix or cumulative patch that resolves this issue; the input data identifies the upper boundary of affected versions (e.g., 24.0.0 IF 008, 24.0.1 IF 006, 25.0.0 IF 003, 25.0.1) but does not explicitly name a released fix version - the advisory should be treated as the authoritative source for the remediation target version. Until a patch is applied, a practical compensating control is to restrict authenticated access to the Business Automation Workflow application to only trusted internal users and service accounts, reducing the population of principals who could trigger and observe verbose error messages. Additionally, deploying a web application firewall or reverse proxy configured to suppress or genericize detailed error responses at the network perimeter can prevent schema details from reaching clients even if the underlying defect is not yet patched; note this mitigation does not eliminate the root cause and may complicate legitimate error diagnostics. Log aggregation and monitoring for anomalous error-trigger patterns from authenticated sessions can provide detection coverage in the interim.
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32521
GHSA-gq2r-qh4m-2g7x