CVE-2025-13691
Published: 17 February 2026
Summary
CVE-2025-13691 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ibm Datastage On Cloud Pak For Data. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-13691 is a vulnerability in IBM DataStage on Cloud Pak for Data versions 5.1.2 through 5.3.0, where the software returns sensitive information in an HTTP response. This exposure could enable impersonation of other users within the system. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-497.
The vulnerability can be exploited by a low-privileged authenticated user (PR:L) over the network (AV:N) with low attack complexity and no user interaction. Exploitation yields high confidentiality and integrity impacts (C:H/I:H), allowing the attacker to capture sensitive data from HTTP responses and use it to impersonate other users in the system, without affecting availability.
IBM provides details on remediation in its security advisory at https://www.ibm.com/support/pages/node/7259956. Security practitioners should consult this reference for patching instructions and mitigation steps applicable to affected versions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207822
Vulnerability details
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly exposes sensitive information (credentials/tokens) via HTTP responses to authenticated users, enabling credential theft (T1552 Unsecured Credentials) followed by impersonation via valid accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering sensitive information from outputs like HTTP responses to prevent disclosure to low-privileged users enabling impersonation.
AC-3 enforces access control policies to ensure low-privileged users cannot receive sensitive information belonging to other users in system responses.
SI-2 mandates identification and timely remediation of flaws such as this HTTP response information disclosure vulnerability through patching.