PatchSiren cyber security CVE debrief
CVE-2025-36145 IBM CVE debrief
IBM watsonx.data 2.2 through 2.3.1 contains a network access control weakness in its IBM Lakehouse component. The vulnerability stems from improper restriction of inbound and outbound connections, which could allow an authenticated attacker with low privileges to transfer or modify files without adequate restrictions. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, with low impact to confidentiality and integrity but no availability impact. The weakness is classified under CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints). This vulnerability was published to the NVD on 2026-05-26 and remains in 'Awaiting Analysis' status. IBM has published a security bulletin with remediation guidance. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- IBM
- Product
- watsonx.data
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running IBM watsonx.data 2.2 through 2.3.1, particularly those with Lakehouse deployments handling sensitive data. Data platform administrators, security architects designing watsonx.data network topologies, and compliance teams responsible for data governance in IBM cloud data platforms should prioritize assessment.
Technical summary
The IBM Lakehouse component in watsonx.data versions 2.2 through 2.3.1 fails to properly restrict network connections. An attacker with low-privilege network access could leverage this weakness to transfer files to unauthorized destinations or modify files without proper authorization controls. The vulnerability requires network access but no user interaction, with exploitation complexity rated as low. Impact is limited to confidentiality and integrity (low severity each); availability is not affected.
Defensive priority
medium
Recommended defensive actions
- Review IBM security bulletin for official patch availability and deployment instructions
- Upgrade IBM watsonx.data to a fixed version per vendor guidance
- Implement network segmentation to restrict Lakehouse component connectivity to authorized endpoints only
- Monitor for anomalous file transfer activity in watsonx.data environments
- Apply principle of least privilege to watsonx.data user accounts
- Review firewall and security group rules governing Lakehouse inbound/outbound connections
Evidence notes
Vulnerability description and CVSS scoring derived from NVD record. CWE-923 classification sourced from IBM PSIRT reference. Affected version range (2.2 through 2.3.1) and product identification (IBM watsonx.data, IBM Lakehouse) from official CVE description. Vendor attribution confirmed via IBM PSIRT contact and security bulletin reference.
Official resources
-
CVE-2025-36145 CVE record
CVE.org
-
CVE-2025-36145 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26