Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated, privileged user to increase their privileges through the restConnector‑1.0 or restConnector‑2.0 features in IBM WebSphere Application Server Liberty. It is associated with the information exposure weakness identified by CWE‑200 and enables the attacker to modify server configuration or access sensitive data beyond their original authorization.

Affected Systems

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 are impacted when the restConnector‑1.0 or restConnector‑2.0 features are enabled. The flaw is present on all operating systems that support Liberty, including macOS, IBM AIX, IBM i, IBM z/OS, Linux, and Windows.

Risk and Exploitability

The CVSS assessment scores the flaw at 6.5, indicating moderate severity. Exploit probability appears low and the vulnerability is not cataloged in CISA's Known Exploited Vulnerabilities list. Because the issue requires an already authenticated user with some privileges and the restConnector features active, the most likely attack path is local or lateral within a compromised environment, allowing the attacker to elevate privileges and potentially alter application data or settings.

Generated by OpenCVE AI on March 30, 2026 at 19:28 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70327. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to  How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the restConnector-1.0 or restConnector-2.0 feature(s):  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves  PH70327 https://www.ibm.com/support/pages/node/7266844   --OR-- · Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).  Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply the interim fix for PH70327 or upgrade to Liberty Fix Pack 26.0.0.4 or later.
  • If the interim fix is not yet available, update to the minimal required fix pack level and then apply the interim fix.
  • Verify whether the restConnector‑1.0 or restConnector‑2.0 features are enabled and disable them if not needed.
  • Regularly check IBM’s support pages for newer fixes or advisories.

Generated by OpenCVE AI on March 30, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Ibm aix
Ibm i
Ibm websphere Application Server
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Ibm aix
Ibm i
Ibm websphere Application Server
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the application server.
Title IBM WebSphere Application Server Liberty is affected by a privilege escalation vulnerability
First Time appeared Ibm
Ibm websphere Application Server Liberty
Weaknesses CWE-200
CPEs cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Apple Macos
Ibm Aix I Websphere Application Server Websphere Application Server Liberty Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-27T03:55:36.433Z

Reserved: 2025-12-18T19:51:26.277Z

Link: CVE-2025-14915

cve-icon Vulnrichment

Updated: 2026-03-26T15:25:26.087Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:24.363

Modified: 2026-03-30T16:59:31.840

Link: CVE-2025-14915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:54Z

Weaknesses