CVE-2025-36373

MEDIUM

Incorrect administrative access control in IBM DataPower Gateway

Title source: cna

Description

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.

References (1)

[Vendor Advisory] https://www.ibm.com/support/pages/node/7267833

Scores

CVSS v3 4.1

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-497

Status published

Products (5)

IBM/DataPower Gateway 10.5.0 10.5.0.0 - 10.5.0.20

IBM/DataPower Gateway 10.6.0 10.6.0.0 - 10.6.0.8

IBM/DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0

ibm/datapower_gateway 10.5.0.0 - 10.5.0.21

ibm/datapower_gateway 10.6.1.0 - 10.6.6.0

Published Apr 01, 2026

Tracked Since Apr 02, 2026