CVE-2026-15322
IBM · Engineering AI Hub
IBM Engineering AI Hub is vulnerable to the improper use of sensitive information in HTTP query strings, which could lead to unauthorized data exposure.
Executive summary
An information exposure vulnerability in IBM Engineering AI Hub may allow unauthorized parties to access sensitive data via HTTP request query strings.
Vulnerability
This vulnerability (CWE-598) involves the use of HTTP GET requests to transmit sensitive information, which may be logged by servers or proxies. It is an unauthenticated vulnerability, meaning no prior access is required to exploit the flaw.
Business impact
The exposure of sensitive query parameters can lead to the compromise of credentials or other proprietary information, resulting in unauthorized access to the system. The CVSS score of 7.5 reflects the high risk of information leakage, which could have severe consequences for data privacy and compliance.
Remediation
Immediate Action: Upgrade all instances of IBM Engineering AI Hub to version 1.3.0 as specified in the IBM support documentation.
Proactive Monitoring: Review web server and proxy logs to identify any instances where sensitive tokens or parameters may have been inadvertently captured in request URLs.
Compensating Controls: Ensure that all traffic to the application is encrypted via TLS and consider implementing a WAF to inspect and scrub sensitive information from incoming request strings.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations utilizing IBM Engineering AI Hub must prioritize the upgrade to version 1.3.0 to mitigate this data exposure risk. Given the ease of exploitation, remediating this issue is critical to maintaining the confidentiality of sensitive information handled by the platform.