SB2026061972 - Multiple vulnerabilities in IBM Watson Discovery Cartridge

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026061972

SB2026061972 - Multiple vulnerabilities in IBM Watson Discovery Cartridge

Published: June 19, 2026

Security Bulletin ID SB2026061972
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-48522)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in PyJWKClient when processing attacker-influenced JKU URLs. A remote attacker can supply a URL using the file://, ftp://, or data: scheme to disclose sensitive information.

User interaction is required, and exploitation depends on an application passing an attacker-influenced jku value to PyJWKClient.


2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-48523)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass algorithm policy enforcement.

The vulnerability exists due to improper verification of cryptographic signature in the PyJWK verification path when decoding JWTs with PyJWK or PyJWKClient-derived keys. A remote user can sign a token with a disallowed algorithm while advertising an allowed algorithm in the JWT header to bypass algorithm policy enforcement.

Exploitation requires control of a registered JWK or JWKS private key, such as in multi-tenant or federation-style trust models.


3) Improper Cleanup on Thrown Exception (CVE-ID: CVE-2026-48524)

CWE-ID: CWE-460 - Improper Cleanup on Thrown Exception

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper cleanup on thrown exception in PyJWKClient.get_signing_key() and fetch_data() when processing JWTs with attacker-controlled unknown kid values and JWKS fetch failures. A remote attacker can send JWTs with unknown kid values to cause a denial of service.

The issue can reduce authentication availability until the next successful JWKS fetch, and the outcome depends on upstream JWKS endpoint behavior such as rate limiting or transient errors.


4) Resource exhaustion (CVE-ID: CVE-2026-48525)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in PyJWS.decode(), PyJWS.decode_complete(), and _load() in jwt/api_jws.py when verifying detached JWS tokens with the unencoded-payload option (b64=false). A remote attacker can send a specially crafted JWS token with an oversized Base64URL payload segment to cause a denial of service.

Practical impact depends on whether upstream components enforce request body-size limits.


Remediation

Install update from vendor's website.

References