SB2026022658 - Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration



SB2026022658 - Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration

Published: February 26, 2026

Security Bulletin ID SB2026022658
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 33% High 33% Medium 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper verification of cryptographic signature (CVE-ID: CVE-2025-65945)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper signature verification under specific conditions when using the HS256 algorithm within the jws.createVerify() function. A remote attacker can manipulate header or payload in the HMAC secret lookup routines and bypass authorization checks. 


2) Deserialization of Untrusted Data (CVE-ID: CVE-2025-68664)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the dumps() and dumpd() functions. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Incomplete Filtering of Special Elements (CVE-ID: CVE-2025-12758)

CWE-ID: CWE-791 - Incomplete Filtering of Special Elements

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (uFE0F, uFE0E) appearing in a sequence which lead to improper string length calculation. A remote attacker can trick an application into using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service


Remediation

Install update from vendor's website.