Description
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server Liberty is vulnerable to identity spoofing when the appSecurity feature is not enabled and applications are deployed without authentication or authorization. This flaw, identified as CWE‑269 Improper Privilege Management, allows an attacker to impersonate another user or the system, potentially gaining unauthorized access to privileged functionality. The vulnerability only manifests under the specific configuration conditions described, so its impact is tied to how the server is set up. Additionally, NVD lists a 'noinfo' CWE entry, indicating the presence of another unspecified weakness.

Affected Systems

The affected product is IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4. All releases within that range that have the appSecurity feature disabled are susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1 % reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a server that is running without the appSecurity feature and has applications deployed without authentication or authorization; these conditions are uncommon, yet if present, an attacker could spoof identities remotely via the web interface. IBM recommends applying the interim fix for APAR PH70352 immediately or upgrading to Fix Pack 26.0.0.5 or later to mitigate the risk.

Generated by OpenCVE AI on May 13, 2026 at 21:50 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70352. IBM WebSphere Application Server Liberty is affected by identity spoofing only when the appSecurity feature (appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0) is not enabled on the server. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.4: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70352 https://www.ibm.com/support/pages/node/7270436 --OR-- · Apply Liberty Fix Pack 26.0.0.5 or later (targeted availability 2Q2026).  Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Enable the appSecurity feature on your Liberty server to enforce authentication and authorization.
  • Apply the interim fix for APAR PH70352 as distributed by IBM.
  • Upgrade to Liberty Fix Pack 26.0.0.5 or later, which includes the permanent fix.

Generated by OpenCVE AI on May 13, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm websphere Application Server
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*
Vendors & Products Ibm websphere Application Server

Thu, 23 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.
Title IBM WebSphere Application Server Liberty is affected by identity spoofing
First Time appeared Ibm
Ibm websphere Application Server Liberty
Weaknesses CWE-269
CPEs cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Websphere Application Server Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-24T03:55:15.371Z

Reserved: 2026-03-05T21:53:23.170Z

Link: CVE-2026-3621

cve-icon Vulnrichment

Updated: 2026-04-23T13:51:46.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T00:16:45.313

Modified: 2026-05-13T20:24:13.463

Link: CVE-2026-3621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses