IBM Cloud Pak for Business Automation 24.0.x IDOR Enables Authenticated Leak
CVE-2025-36023 Published on August 8, 2025
IBM Cloud Pak for Business Automation security bypass
IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.
Vulnerability Analysis
CVE-2025-36023 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2025-36023 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2025-36023
Want to know whenever a new CVE is published for IBM Cloud Pak Business Automation? stack.watch will email you.
Affected Versions
IBM Cloud Pak for Business Automation:- Version 24.0.0, <= 24.0.0 IF005 is affected.
- Version 24.0.1, <= 24.0.1 IF002 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.