- IBM disclosed a critical authentication bypass in API Connect, tracked as CVE-2025-13915 and rated 9.8 CVSS.
- Affected releases include 10.0.8.0 through 10.0.8.5 and 10.0.11.0.
- IBM provides an interim fix and detailed installation steps; customers who cannot patch should disable self-service sign-up on their Developer Portal.
- There is currently no evidence the flaw has been exploited in the wild; users are urged to apply fixes promptly.
IBM disclosed on Dec. 31, 2026 that a critical security flaw exists in API Connect. According to the vendor bulletin, the issue could let a remote attacker bypass authentication and gain unauthorized access to the application (see the IBM bulletin). The flaw is recorded as CVE-2025-13915 and has a CVSS score of 9.8.
The vulnerability affects API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0. IBM lists an interim fix package and step-by-step instructions for installation on its support site; customers should follow the fix instructions. The fix archive includes a Readme.md and a file named ibm-apiconnect-<version>-ifix.13195.tar.gz.
“IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application,” the vendor said in its advisory. IBM also noted a mitigation: “Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability.”
Definition: Authentication bypass — a flaw that allows access without valid credentials. Definition: CVE — a Common Vulnerabilities and Exposures identifier used to track security issues.
API Connect is an end-to-end API management solution for cloud and on-premises environments; IBM provides an overview at its product page and detailed documentation in the API Connect overview. Known users of the product include organizations such as Axis Bank, Etihad Airways, and Tata Consultancy Services.
IBM reports no evidence of active exploitation. Customers are advised to download and apply the interim fix from Fix Central and follow IBM’s published steps to ensure protection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
