SB2026070212 - IBM DataPower Gateway update for Axios
Published: July 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Prototype pollution (CVE-ID: CVE-2026-42264)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject credentials and hijack requests.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the HTTP adapter when reading configuration properties via direct property access from polluted prototypes. A remote attacker can pollute Object.prototype through another dependency in the same process to inject credentials and hijack requests.
Exploitation requires prototype pollution by another dependency in the same process, and requests using relative URLs can be redirected to an attacker-controlled server.
Remediation
Install update from vendor's website.