CVE-2026-3366

Vulnerability

IBM InfoSphere Optim Test Data Fabrication versions 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, and 1.0.2.7 are affected by a path traversal vulnerability (CWE-22) [1]. The flaw exists in the Resource Manager component, which does not properly sanitize user-supplied URL input, allowing an attacker to include ../ sequences to escape the intended directory and access arbitrary files on the system [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a specially crafted HTTP request containing dot-dot-slash (/../) sequences to an affected endpoint [1]. No authentication is required, and the attack does not require any user interaction or special network position beyond reachability to the vulnerable service [1]. The only prerequisite is that the attacker can make HTTP requests to the system.

Impact

Successful exploitation allows a remote, unauthenticated attacker to read arbitrary files from the server file system [1]. This can lead to disclosure of sensitive information such as configuration files, credentials, or application source code [1]. The impact is limited to confidentiality; no integrity or availability is affected (CVSS 7.5, High) [1].

Mitigation

IBM has indicated that workarounds are available; customers should contact IBM Technical Support for instructions and resolution [1]. As of publication (12 May 2026), no specific fixed version has been released in the available references [1]. Organizations using affected versions should contact IBM support immediately and apply any provided workaround or patch as soon as it becomes available [1].