Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
Published: 2026-03-25
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Security Weakness
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows administrators of IBM WebSphere Application Server Liberty to experience weaker than expected security when configuring security settings. The weakness, classified as CWE-1393, could lead to unauthorized configuration changes or other misuse of administrative controls, compromising the integrity of security enforcement within the application server.

Affected Systems

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3, specifically when the appSecurity-1.0 to appSecurity-5.0 features are enabled.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation currently. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be local or privileged admin access, as the weakness emerges during administration of security settings. Official remediation requires applying an interim fix or a newer fix pack as directed by IBM.

Generated by OpenCVE AI on March 30, 2026 at 18:31 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70078. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to  How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  Attention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation. For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s):  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves  PH70078 https://www.ibm.com/support/pages/node/7266845  and carefully follow the instructions for steps required after fix installation. --OR-- · Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply the interim fix PH70078 following IBM's instructions.
  • If the interim fix is not available, upgrade to fix pack 26.0.0.4 or later.
  • Confirm the appSecurity features are correctly configured as described in IBM's guidance.
  • After installation, review IBM instructions for post-fix steps and ensure the system is functioning.
  • Monitor IBM support pages for further updates or additional interim fixes.

Generated by OpenCVE AI on March 30, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Ibm aix
Ibm i
Ibm websphere Application Server
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Ibm aix
Ibm i
Ibm websphere Application Server
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
Title IBM WebSphere Application Server Liberty could provide weaker than expected security
First Time appeared Ibm
Ibm websphere Application Server Liberty
Weaknesses CWE-1393
CPEs cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apple Macos
Ibm Aix I Websphere Application Server Websphere Application Server Liberty Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-27T03:55:36.998Z

Reserved: 2025-12-18T19:59:28.180Z

Link: CVE-2025-14917

cve-icon Vulnrichment

Updated: 2026-03-26T17:49:44.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:24.550

Modified: 2026-03-30T16:59:11.230

Link: CVE-2025-14917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:53Z

Weaknesses