CVE-2026-3603

Vulnerability

IBM Engineering Lifecycle Management (Jazz Foundation) versions 7.0.3 (iFix001 through iFix021), 7.1.0 (iFix001 through iFix009), and 7.2.0 (including iFix001) are vulnerable to an XML external entity injection (XXE) attack when processing XML data. The flaw is classified as CWE-611: Improper Restriction of XML External Entity Reference. An attacker must be authenticated to reach the vulnerable XML processing functionality [1].

Exploitation

An attacker with valid authentication can craft a malicious XML payload containing external entity references. The payload is submitted to an affected endpoint that parses XML without adequate restriction of external entities. The attack requires network access to the service and does not require any special privileges beyond authentication; no user interaction is needed [1].

Impact

Successful exploitation leads to exposure of sensitive information (e.g., local files readable by the application process) and/or consumption of memory resources, which could degrade system performance. The confidentiality impact is High; the availability impact is Low. Integrity is not affected [1].

Mitigation

IBM has released fixes: upgrade to iFix022 for version 7.0.3, iFix010 for version 7.1.0, and iFix002 for version 7.2.0. No workarounds or mitigations are available [1].