Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.
Published: 2026-06-30
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 contains an arbitrary file read flaw that becomes active when the restConnector-2.0 feature is enabled. The bug allows an attacker to read any file on the host system, violating confidentiality and potentially exposing sensitive configuration, credentials, or other secrets. The vulnerability is classified as CWE-444.

Affected Systems

Vulnerable instances are IBM WebSphere Application Server Liberty versions 17.0.0.3 to 26.0.0.6 when the restConnector-2.0 feature is turned on. Administrators should verify whether this feature is in use on their deployments, as the flaw resides solely within that component.

Risk and Exploitability

The CVSS base score is 7.2, indicating moderate to high severity. Exploit Probability (EPSS) data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector likely requires access to the REST connector endpoint, typically over the internal or external network, and may need valid authentication or only exposed to trusted networks. Given the potential for confidential data exposure, the risk remains significant, especially for environments with unrestricted access to the connector endpoint.

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71719. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the restConnector-2.0 feature:  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71719 https://www.ibm.com/support/pages/node/7277433 --OR-- · Apply Liberty Fix Pack 26.0.0.7 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page.


OpenCVE Recommended Actions

  • Apply the interim fix PH71719 to the appropriate fix pack before upgrading
  • Upgrade to the minimal required fix pack levels and then apply the interim fix
  • Upgrade to Liberty Fix Pack 26.0.0.7 or later (target availability 3Q2026)
  • If the restConnector-2.0 feature is not needed, disable or remove it to eliminate the attack surface

Generated by OpenCVE AI on June 30, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.
Title IBM WebSphere Application Server Liberty is affected by a an arbitrary file read vulnerability
First Time appeared Ibm
Ibm websphere Application Server Liberty
Weaknesses CWE-444
CPEs cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Ibm Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:43:17.946Z

Reserved: 2026-06-09T15:24:52.679Z

Link: CVE-2026-11806

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')