Impact
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 contains an arbitrary file read flaw that becomes active when the restConnector-2.0 feature is enabled. The bug allows an attacker to read any file on the host system, violating confidentiality and potentially exposing sensitive configuration, credentials, or other secrets. The vulnerability is classified as CWE-444.
Affected Systems
Vulnerable instances are IBM WebSphere Application Server Liberty versions 17.0.0.3 to 26.0.0.6 when the restConnector-2.0 feature is turned on. Administrators should verify whether this feature is in use on their deployments, as the flaw resides solely within that component.
Risk and Exploitability
The CVSS base score is 7.2, indicating moderate to high severity. Exploit Probability (EPSS) data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector likely requires access to the REST connector endpoint, typically over the internal or external network, and may need valid authentication or only exposed to trusted networks. Given the potential for confidential data exposure, the risk remains significant, especially for environments with unrestricted access to the connector endpoint.
OpenCVE Enrichment