CVE-2026-5515

Vulnerability

IBM App Connect Enterprise versions 13.0.1.0 through 13.0.7.0, when using WS-Security with Java 17, stores potentially sensitive information in log files. The vulnerability exists because the application does not properly sanitize sensitive data before writing it to logs. This issue is specifically triggered when the WS-Security feature is enabled and Java 17 is used as the runtime environment [1].

Exploitation

An attacker must have local access to the system running the affected IBM App Connect Enterprise instance. No special privileges beyond the ability to read log files on the local file system are required. The attacker can read the log files where sensitive information (such as credentials or other confidential data) may have been written during normal operation of the WS-Security functionality [1].

Impact

Successful exploitation leads to disclosure of sensitive information (confidentiality impact). The CVSS v3.1 base score is 5.5 (Medium) with vector AV:L/AC:L/PR:L/S:U/C:H/I:N/A:N, indicating high confidentiality impact, no integrity or availability impact [1]. The attacker gains access to potentially credential or other sensitive data contained in the logs.

Mitigation

IBM has released the fix via APAR IT49227, available in IBM App Connect Enterprise Fix Pack Release 13.0.7.1. Users should upgrade to version 13.0.7.1 or later. No workarounds are provided by the vendor [1].