Description
IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Published: 2026-05-27
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability enables a remote attacker to send a specially‑crafted request that causes the WebSphere application server to consume excessive memory resources, leading to a denial of service.

Affected Systems

Affected products include IBM WebSphere Application Server Liberty versions 19.0.0.7 through 26.0.0.5, and IBM WebSphere Application Server traditional versions 9.0.0.0 through 9.0.5.27 and 8.5.0.0 through 8.5.5.29. The problem manifests when the sipServlet-1.1 feature is active in Liberty.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker may target any publicly exposed instance without needing authentication and trigger memory exhaustion by submitting crafted requests. The risk can be mitigated by applying the IBM interim fixes PH70807 for Liberty or PH70616 for traditional servers, or by installing the latest applicable fix packs.

Generated by OpenCVE AI on May 27, 2026 at 20:33 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70807 and APAR PH70616. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 19.0.0.7 - 26.0.0.5 using the sipServlet-1.1 feature: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70807 https://www.ibm.com/support/pages/node/7273237 --OR-- · Apply Fix Pack 26.0.0.6 or later (targeted availability 2Q2026). For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70616 https://www.ibm.com/support/pages/node/7269402 --OR-- · Apply Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves PH70616 https://www.ibm.com/support/pages/node/7269402 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply the IBM interim fix PH70807 (Liberty sipServlet-1.1) or PH70616 (traditional WebSphere Application Server) as directed by IBM.
  • Upgrade to the most recent fix pack: Liberty 26.0.0.6 or later, WAS 9.0.5.28 or later, or 8.5.5.30 or later.
  • If the sipServlet-1.1 feature is not required, disable or remove it to prevent exploitation while a patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-770

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a denial of service
First Time appeared Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:19.0.0.7:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.5:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Websphere Application Server Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T15:25:09.833Z

Reserved: 2026-03-19T02:14:15.887Z

Link: CVE-2026-4410

cve-icon Vulnrichment

Updated: 2026-05-27T15:23:32.752Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:33.660

Modified: 2026-05-27T17:16:44.377

Link: CVE-2026-4410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:00:14Z

Weaknesses