CVE-2026-2606
📋 TL;DR
This vulnerability in IBM webMethods API Gateway and API Management allows attackers to read arbitrary files on the server by manipulating the URL parameter in the /createapi endpoint. Attackers can replace the expected https:// schema with file:// to access local files. Organizations using affected versions of these on-premises products are at risk.
💻 Affected Systems
- IBM webMethods API Gateway (on-prem)
- IBM webMethods API Management (on-prem)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive server files including configuration files, credentials, certificates, and application data leading to further system compromise.
Likely Case
Unauthorized access to sensitive configuration files, credentials, or application data stored on the server file system.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
Requires authenticated access to the /createapi endpoint. Simple parameter manipulation needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fixes: 10.11 Fix Pack 33, 10.15 Fix Pack 28, 11.1 Fix Pack 8
Vendor Advisory: https://www.ibm.com/support/pages/node/7261122
Restart Required: Yes
Instructions:
1. Download appropriate fix pack from IBM Fix Central. 2. Backup current installation. 3. Apply fix pack following IBM documentation. 4. Restart services. 5. Verify fix applied.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to reject file:// schema in URL parameter
Custom validation in API Gateway policies to check URL schema
Access Restriction
allRestrict access to /createapi endpoint to authorized users only
Configure authentication and authorization rules for the endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to isolate API Gateway from sensitive systems
- Deploy WAF with rules to block file:// schema in requests
🔍 How to Verify
Check if Vulnerable:
Check if current version falls within affected ranges and test /createapi endpoint with file:// schemaCheck Version:
Check product version via administrative console or installation directoryVerify Fix Applied:
Verify installed version is patched and test that file:// schema requests are rejected📡 Detection & Monitoring
Log Indicators:
- Requests to /createapi with file:// schema
- Failed file access attempts in server logs
Network Indicators:
- HTTP requests containing file:// in URL parameters
SIEM Query:
source="api_gateway" AND (url="*file://*" OR parameter="*file://*")