Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.
Published: 2026-06-30
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side request forgery vulnerability exists when the apiDiscovery‑1.0 feature is enabled in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.7. The flaw lets an attacker craft requests that cause the server to perform outbound calls on the attacker’s behalf. This can expose internal resources, reveal configuration details, or allow data leaks. The vulnerability is classified as CWE‑918. The potential impact is loss of confidentiality, integrity, and potentially availability of internal services.

Affected Systems

IBM WebSphere Application Server Liberty version 17.0.0.3 up to and including 26.0.0.7. The flaw is tied to the apiDiscovery‑1.0 feature; any deployment of these releases with that feature enabled is affected. The advisory does not list additional products or configurations.

Risk and Exploitability

The CVSS score of 8.5 marks this as a high‑severity vulnerability. The EPSS score is not available, so the current probability of exploitation is unknown but could be significant for environments where the apiDiscovery feature is exposed to untrusted clients. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to be able to send specially crafted HTTP requests to the Liberty server’s REST endpoint that triggers the apiDiscovery service. No publicly disclosed exploitation code is available, but the flaw’s nature suggests it could be leveraged by an authenticated or unauthenticated attacker depending on how the feature is secured.

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71873. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.7 using the apiDiscovery-1.0 feature:  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71873 https://www.ibm.com/support/pages/node/7278406 --OR-- · Apply Liberty Fix Pack 26.0.0.8 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page.


OpenCVE Recommended Actions

  • Confirm that the apiDiscovery‑1.0 feature is enabled in your Liberty installation.
  • Apply the interim fix that contains APAR PH71873 or upgrade to the minimal required fix pack levels and then apply the interim fix, following IBM’s guidance.
  • Upgrade to Liberty Fix Pack 26.0.0.8 or later as soon as it becomes available.
  • If the feature is not required for your deployment, disable the apiDiscovery‑1.0 feature to eliminate the attack surface.

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.
Title IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability
First Time appeared Ibm
Ibm websphere Application Server Liberty
Weaknesses CWE-918
CPEs cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.7:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}


Subscriptions

Ibm Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:44:49.769Z

Reserved: 2026-06-09T00:14:50.812Z

Link: CVE-2026-11714

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)