Vulnerability Details CVE-2026-2606
IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the url parameter on the /createapi endpoint. An attacker can modify this parameter to use a file:// URI schema instead of the expected https:// schema, enabling unauthorized arbitrary file read access on the underlying server file system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.3%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-2606
-
cpe:2.3:a:ibm:webmethods_api_gateway:10.11
-
cpe:2.3:a:ibm:webmethods_api_gateway:10.15
-
cpe:2.3:a:ibm:webmethods_api_gateway:11.1