CVE-2026-2606 is a medium-severity path traversal vulnerability (CWE-22) affecting IBM webMethods API Gateway (on-prem) versions 10.11, 10.15, and 11.1. The vulnerability stems from insufficient validation of the 'url' parameter on the /createapi endpoint. Instead of restricting input to expected HTTPS URLs, the application fails to block file:// URI schemes. An attacker can exploit this by crafting a malicious request that uses the file:// scheme to access arbitrary files on the underlying server's filesystem. This results in unauthorized disclosure of sensitive files, potentially including configuration files, credentials, or other critical data. The vulnerability requires the attacker to have limited privileges (PR:L), but no user interaction is needed, and the attack can be performed remotely over the network (AV:N). The CVSS v3.1 base score is 6.5, reflecting high confidentiality impact but no impact on integrity or availability. No public exploit code or active exploitation has been reported to date. The flaw affects multiple versions of IBM’s on-premises API Gateway product, which is widely used in enterprise environments to manage and secure APIs. The vulnerability could be leveraged by attackers to gain intelligence on the target environment or facilitate further attacks.

The primary impact of CVE-2026-2606 is unauthorized disclosure of sensitive information due to arbitrary file read on the server hosting IBM webMethods API Gateway. This can lead to exposure of configuration files, credentials, or other sensitive data that could compromise the security posture of the affected organization. Such information leakage can facilitate lateral movement, privilege escalation, or further targeted attacks. Since the vulnerability does not affect integrity or availability, it does not directly enable data modification or service disruption. However, the confidentiality breach alone can have severe consequences, especially in environments handling sensitive or regulated data. Organizations relying on IBM webMethods API Gateway for API management and security may face increased risk of data breaches and compliance violations if this vulnerability is exploited. The ease of exploitation and remote attack vector increase the threat level, particularly in environments where limited privilege accounts can access the vulnerable endpoint.

To mitigate CVE-2026-2606, organizations should: 1) Apply the latest IBM patches or fixes as soon as they become available, as IBM is expected to release updates addressing this vulnerability. 2) Implement strict input validation and sanitization on the /createapi endpoint to ensure only expected URL schemas (e.g., https://) are accepted, explicitly blocking file:// and other potentially dangerous schemes. 3) Restrict access to the /createapi endpoint to trusted users and networks using network segmentation, firewall rules, and strong authentication controls. 4) Monitor logs and network traffic for suspicious requests containing file:// URIs or unusual access patterns to detect attempted exploitation. 5) Employ the principle of least privilege for accounts accessing the API Gateway, minimizing the risk posed by compromised credentials. 6) Conduct regular security assessments and penetration testing focused on API endpoints to identify similar input validation weaknesses. 7) Consider deploying web application firewalls (WAFs) with custom rules to block malicious URI schemes targeting the vulnerable endpoint. These measures combined will reduce the risk of exploitation until patches are applied.