CVE-2025-36144 is a vulnerability identified in IBM watsonx.data version 2.2, part of the IBM Lakehouse platform. The issue is categorized under CWE-532, which involves the insertion of sensitive information into log files. Specifically, this vulnerability arises because watsonx.data logs potentially sensitive information in its log files. These log files can be accessed by local users on the system, which means that any sensitive data recorded there could be exposed to unauthorized personnel with local access. The vulnerability has a CVSS v3.1 base score of 3.3, indicating a low severity level. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), with no user interaction (UI:N) needed. The impact is limited to confidentiality (C:L) with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability does not require network access or remote exploitation, limiting its scope to users who already have some level of local access to the system hosting watsonx.data. The core risk is the inadvertent exposure of sensitive information through logs, which could include credentials, personal data, or other confidential information depending on what the application logs. This could facilitate further attacks or data leakage if local access controls are insufficient.

For European organizations using IBM watsonx.data 2.2, this vulnerability poses a risk primarily related to confidentiality breaches. Since the sensitive information is stored in log files accessible to local users, any insider threat or compromised local account could lead to unauthorized data exposure. This is particularly concerning for organizations handling sensitive personal data under GDPR, as unauthorized disclosure could lead to regulatory penalties and reputational damage. The impact on system integrity and availability is negligible, but the confidentiality risk could facilitate lateral movement or privilege escalation if sensitive credentials or tokens are exposed. Organizations in sectors such as finance, healthcare, and government, which often deploy IBM Lakehouse solutions for data analytics and storage, may be more affected. The local access requirement limits the threat to environments where multiple users have access to the same systems or where endpoint security is weak. However, given the critical nature of data processed by watsonx.data, even low-severity confidentiality leaks can have significant consequences in regulated European markets.

To mitigate this vulnerability, European organizations should implement strict access controls and monitoring on systems running IBM watsonx.data 2.2 to limit local user access to log files. Employ file system permissions to restrict log file readability to only necessary service accounts or administrators. Organizations should audit and sanitize logging configurations to ensure that sensitive information is not unnecessarily logged. Where possible, enable log redaction or masking features if supported by the platform. Regularly review and rotate credentials and secrets that might be logged to reduce the risk of exposure. Implement host-based intrusion detection systems (HIDS) to monitor unauthorized access attempts to log files. Additionally, organizations should maintain up-to-date backups and consider isolating critical data processing environments to reduce insider threat risks. Since no patches are currently available, these compensating controls are essential until IBM releases an official fix. Finally, organizations should prepare incident response plans to address potential data exposure incidents stemming from this vulnerability.