XML External Entity Injection Vulnerability in IBM Business Automation Workflow
CVE-2025-13096

7.1HIGH

Key Information:

Vendor: IBM
Status: Business Automation Workflow Containers; Business Automation Workflow Traditional
Vendor: CVE Published:; 2 February 2026

What is CVE-2025-13096?

The IBM Business Automation Workflow, both in its containerized and traditional forms, is affected by a vulnerability that allows for XML external entity injection (XXE) when processing XML data. This issue enables a remote attacker to exploit the vulnerable versions to gain access to sensitive information or exhaust memory resources, potentially compromising the integrity of systems that rely on this workflow solution.

Affected Version(s)

Business Automation Workflow containers V25.0.0

Business Automation Workflow containers V24.0.1

Business Automation Workflow containers V24.0.0

References

https://www.ibm.com/support/pages/node/7259321

vendor-advisorypatch

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 2, 2026
Vulnerability Reserved
Nov 12, 2025

CVE-2025-13096 Data

JSON