CVE-2025-36041

Name of the Vulnerable Software and Affected Versions IBM MQ Operator LTS versions 2.0.0 through 2.0.29 IBM MQ Operator CD versions 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 through 3.5.3 IBM MQ Operator SC2 versions 3.2.0 through 3.2.12

Description The issue allows the Native HA CRR to be configured with a private key and chain other than the intended key. This could disclose sensitive information or allow an attacker to perform unauthorized actions.

Recommendations For IBM MQ Operator LTS versions 2.0.0 through 2.0.29, update to a version that includes the fix for this issue. For IBM MQ Operator CD versions 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 through 3.5.3, update to a version that includes the fix for this issue. For IBM MQ Operator SC2 versions 3.2.0 through 3.2.12, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Native HA CRR configuration to minimize the risk of exploitation.