Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.
Published: 2026-06-30
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server‑side request forgery that occurs when the adminCenter‑1.0 feature is enabled in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.7. An attacker can cause the server to issue requests to arbitrary URLs, potentially accessing internal resources, exfiltrating data, or performing denial‑of‑service actions. This flaw corresponds to CWE‑918 and can be significant if the application has privileged network access.

Affected Systems

IBM WebSphere Application Server Liberty is affected, with the vulnerable releases being 17.0.0.3 up to 26.0.0.7 when the adminCenter‑1.0 feature is enabled. Other versions of Liberty outside this range or with the feature disabled are not impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high risk. The EPSS score is not available, and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is remote through the WebSphere administrative console or APIs that access the adminCenter‑1.0 feature. An attacker would need to interact with the application’s server‑side code that processes outbound requests; no local privilege escalation is required.

Generated by OpenCVE AI on June 30, 2026 at 21:23 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71841. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.7 using the adminCenter-1.0 feature:  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71841 https://www.ibm.com/support/pages/node/7278379 --OR-- · Apply Liberty Fix Pack 26.0.0.8 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page.


OpenCVE Recommended Actions

  • Apply the interim fix PH71841 after upgrading to the minimal required fix pack level for your release.
  • Apply the interim fix PH71841 from the IBM support download page.
  • Upgrade to Liberty Fix Pack 26.0.0.8 or later when it becomes available.
  • As a temporary measure, disable the adminCenter‑1.0 feature if it is not required for your environment.

Generated by OpenCVE AI on June 30, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.
Title IBM WebSphere Application Server Liberty is affected by a server-side request forgery vulnerability
First Time appeared Ibm
Ibm websphere Application Server Liberty
Weaknesses CWE-918
CPEs cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.7:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}


Subscriptions

Ibm Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:51:21.924Z

Reserved: 2026-06-08T03:17:22.426Z

Link: CVE-2026-11546

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)