CVE-2026-2606

Name of the Vulnerable Software and Affected Versions IBM webMethods API Gateway (on-prem) versions 10.11 through 10.11 Fix3210.15 to 10.15 Fix2711.1 to 11.1 Fix7 IBM webMethods API Management (on-prem) versions 10.11 through 10.11 Fix3210.15 to 10.15 Fix2711.1 to 11.1 Fix7

Description The software does not properly validate user-supplied input provided to the url parameter on the /createapi API endpoint. An attacker can manipulate this parameter to utilize a file:// URI schema instead of the expected https:// schema, potentially allowing unauthorized access to arbitrary files on the underlying server file system.

Recommendations IBM webMethods API Gateway version 10.11 through 10.11 Fix3210.15 should be updated. IBM webMethods API Gateway version 10.15 Fix2711.1 should be updated. IBM webMethods API Gateway version 11.1 Fix7 should be updated. IBM webMethods API Management version 10.11 through 10.11 Fix3210.15 should be updated. IBM webMethods API Management version 10.15 Fix2711.1 should be updated. IBM webMethods API Management version 11.1 Fix7 should be updated.