Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery
Action: Patch Now
AI Analysis

Impact

This vulnerability allows a remote attacker to execute server‑side request forgery, enabling the system to send arbitrary HTTP/S requests. The attacker can use it for network enumeration, data exfiltration, or to reach internal services that are otherwise inaccessible. The weakness is classified as CWE‑918.

Affected Systems

Affected systems are IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3. Both the core Liberty runtime and configurations that enable the samlWeb‑2.0 feature are susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score below 1% suggests low exploitation probability. Because this is not listed in CISA’s KEV catalog, there is no known mass exploitation. The attack vector is inferred to be remote via a web application facing interface that processes user‑controlled input, and exploitation requires that the affected feature is enabled.

Generated by OpenCVE AI on March 30, 2026 at 18:31 UTC.

Remediation

Vendor Solution

Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70017 . To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature . For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the samlWeb-2.0 feature: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70017 --OR-- · Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply the interim fix PH70017 by upgrading to the appropriate fix pack level and then installing the interim fix.
  • Update to Liberty Fix Pack 26.0.0.4 or later once it becomes available.
  • Disable the samlWeb‑2.0 feature if not needed, or verify that the feature is not enabled.
  • Monitor IBM support for additional interim fixes and apply them promptly.

Generated by OpenCVE AI on March 30, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Ibm aix
Ibm i
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Ibm aix
Ibm i
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery (SSRF). This may allow remote attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Title IBM WebSphere Application Server Liberty Server-Side Request Forgery
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-918
CPEs cpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
cpe:2.3:a:ibm:websphere_application_server:26.0.0.3:*:*:*:liberty:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Apple Macos
Ibm Aix I Websphere Application Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T15:37:14.525Z

Reserved: 2026-01-28T19:33:31.826Z

Link: CVE-2026-1561

cve-icon Vulnrichment

Updated: 2026-03-26T15:37:11.214Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:28.680

Modified: 2026-03-30T16:58:21.607

Link: CVE-2026-1561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:55Z

Weaknesses