vulnerability🌐InternationalThe Hacker News
IBM API Connect Critical Authentication Bypass Disclosed
Friday, January 2, 2026
What
A critical authentication bypass flaw (CVE-2025-13915) in IBM API Connect allows remote attackers to gain unauthorized access with a CVSS score of 9.8. This vulnerability is significant as it could compromise API management platforms used by major organizations globally.
Where
IBM API Connect versions 10.0.8.0-10.0.8.5 and 10.0.11.0 are affected, impacting various global organizations utilizing the platform for API management.
When
Disclosed by IBM on January 2, 2026, following internal testing.
Key Factors
- •The vulnerability is an authentication bypass flaw, allowing attackers to circumvent security mechanisms and access the application without valid credentials.
- •Rated with a critical CVSS score of 9.8, indicating a severe impact due to its remote exploitability and potential for full system compromise.
- •A temporary mitigation involves disabling self-service sign-up on the Developer Portal, reducing the attack surface for organizations unable to apply the full fix immediately.
Takeaways
- →Immediately apply the official interim fix from IBM Fix Central for affected API Connect versions to prevent exploitation.
- →If immediate patching is not possible, disable self-service sign-up on the Developer Portal as a temporary workaround to minimize exposure.
