External risk intelligence

IBM Business Automation Manager XXE Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-13449

IBM Business Automation Manager is commonly deployed as a business process management and automation platform. These systems often serve as centralized web-based interfaces or API gateways for organizational workflows, making them frequently deployed in network-accessible environments to facilitate integration and user access.

XML External Entity Injection

Ibm Business Automation Manager

9.0.0 to before 9.5.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in IBM Business Automation Manager Open Editions, a platform used for business process management. The flaw, categorized as XML external entity injection, could allow an unauthorized remote attacker to access sensitive information or disrupt system memory. The primary concern is to confirm if our organization utilizes this specific IBM product and, if so, to understand its potential exposure.

  • Allows attackers to read sensitive data.
  • Critical flaw impacts IBM Business Automation Manager.
  • Confirm product relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could start by sending specially crafted XML data to an exposed IBM Business Automation Manager instance. This data would be processed by the application, triggering a vulnerability that allows the attacker to read sensitive files from the server or cause it to consume excessive memory.

  • No authentication required to attack.
  • Malicious XML data triggers vulnerability.
  • Sensitive data disclosure or denial of service.

Live Threat

Current exploitation, exposure, and threat context

When processing XML data, IBM Business Automation Manager Open Editions could expose sensitive information or consume excessive memory resources through an XML external entity injection vulnerability. This could occur when the system parses specially crafted XML input from a remote source.

  • Sensitive information or memory resources.
  • Remote attackers send crafted XML.
  • Information disclosure or denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

IBM Business Automation Manager Open Editions is likely managed by platform or application owners who are responsible for its deployment and operational status. The immediate first step is to identify all instances of the affected technology, confirm their network exposure and business criticality, and locate the accountable owner before planning any remediation.

  • Platform or application owners should own.
  • Verify network exposure and business criticality first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM Business Automation Manager?

IBM Business Automation Manager is an enterprise software platform designed to manage and automate complex business processes. It acts as a centralized hub or API gateway that organizations use to orchestrate workflows and integrate various business services. Because it sits at the intersection of operational data and user interfaces, it is often deployed in network-connected environments to ensure accessibility for internal teams and external integrations.

What does CVE-2026-13449 mean by XML external entity injection?

This vulnerability, classified as CWE-611, occurs when the software improperly configures its XML parser. When the application processes incoming XML data, it may be tricked into fetching unauthorized external files or data entities. Instead of just reading the intended input, the parser follows instructions hidden in the malicious XML to reveal sensitive server-side information or force the system to exhaust its available memory, potentially leading to a crash.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specially crafted XML data to the IBM Business Automation Manager instance. Because the vulnerability lies in how the software processes this input, it does not require the attacker to have valid login credentials or prior access to the system. Importantly, the flaw is not triggered by standard, legitimate XML usage; it requires the inclusion of specific, malicious entity references designed to exploit the parser's configuration.

How do I know if I am at risk?

You should consider this relevant if your organization uses IBM Business Automation Manager versions 9.0.0 through 9.4.2. Halo Surface Signal identifies this as a potential concern for most organizations because these platforms are frequently deployed in internet-facing or network-accessible configurations to support business workflows. If your instance is reachable over the network, it is a primary candidate for review.

What should I do if I run this software?

The first step is to conduct an internal audit to identify all active instances of the affected versions within your environment. Once identified, work with the designated application owners to document the specific network exposure and business criticality of each instance. This data will allow you to prioritize which systems require immediate attention and enable you to coordinate an effective path toward remediation with your technical teams.

References