CVE-2026-10845 - Vulnerability Details

- IBM WebSphere Application Server is affected by an authentication bypass vulnerability

Description

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.

Published: 2026-06-22

Score: 7.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IBM WebSphere Application Server 8.5 and 9.0 contain a flaw that allows a remote attacker to bypass authentication controls and gain unauthorized access to JAX‑WS applications. The vulnerability does not require local access, and it enables the attacker to invoke application functionality without valid credentials.

Affected Systems

The affected products are IBM WebSphere Application Server 8.5 and 9.0. Specific vulnerable versions are V8.5.0.0 through V8.5.5.29 for 8.5 and V9.0.0.0 through V9.0.5.28 for 9.0. IBM recommends applying the interim fix for APAR PH71648 or upgrading to Fix Pack 8.5.5.30 or later for 8.5, and Fix Pack 9.0.5.29 or later for 9.0.

Risk and Exploitability

The flaw can be exploited remotely; an attacker need not have local access. Because the vulnerability allows bypass of authentication, the potential impact is high regarding unauthorized operation of JAX‑WS services. No EPSS score is provided, and the issue is not listed in CISA KEV. The escalation of risk is based solely on the inability to authenticate to protected application resources. The CVSS score is 7.3, indicating high severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

WebSphere Application Server

affected

Version	Status	Constraints
`8.5.0`	affected	≤ 7.0.2 Interim Fix 035
`9.0.0`	affected	≤ 7.0.3 Interim Fix 017

No data.

Vendor Product Confidence Versions

Ibm

Websphere Application Server

95%

Version	Status	Scheme	Platform
`[8.5.0,7.0.2 Interim Fix 035]`	affected	generic	—
`[9.0.0,7.0.3 Interim Fix 017]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71648. For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71648 https://www.ibm.com/support/pages/node/7276411 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71648 https://www.ibm.com/support/pages/node/7276411 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

Apply the interim fix for APAR PH71648 as described on the IBM support site.
Upgrade to Fix Pack 9.0.5.29 or later if running WebSphere 9.0.
Upgrade to Fix Pack 8.5.5.30 or later if running WebSphere 8.5.
Consult the interim fix download page for additional interim fixes relevant to your release.

Generated by OpenCVE AI on June 22, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.ibm.com/support/pages/node/7276597

History

Mon, 22 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 22 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.
Title		IBM WebSphere Application Server is affected by an authentication bypass vulnerability
First Time appeared		Ibm Ibm websphere Application Server
Weaknesses		CWE-287
CPEs		cpe:2.3:a:ibm:websphere_application_server:8.5.0:::::::* cpe:2.3:a:ibm:websphere_application_server:8.5:::::::* cpe:2.3:a:ibm:websphere_application_server:9.0.0:::::::* cpe:2.3:a:ibm:websphere_application_server:9.0:::::::*
Vendors & Products		Ibm Ibm websphere Application Server
References		https://www.ibm.com/support/pages/node/7276597

Subscriptions

Ibm Websphere Application Server

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-22T14:43:16.611Z

Updated: 2026-06-22T16:06:02.894Z

Reserved: 2026-06-04T12:02:38.679Z

Link: CVE-2026-10845

Vulnrichment

Updated: 2026-06-22T16:05:53.970Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T19:30:06Z

Weaknesses

CWE-287
Improper Authentication

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object