Description
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Web Server Plug‑ins for WebSphere Application Server, including both traditional and Liberty builds, have a flaw (APAR PH71342) that enables HTTP request smuggling when handling specially crafted requests. This flaw results in the plug‑ins misinterpreting HTTP request boundaries, potentially causing unintended request processing downstream in the application. The weakness is classified as CWE‑444.

Affected Systems

Affected products are IBM Web Server Plug‑ins for WebSphere Application Server – used with either traditional or Liberty WebSphere – in versions 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.27. Any deployment of these plug‑ins on a WebSphere environment should be checked against those version ranges.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, classification high severity. An attacker would only need the ability to send crafted HTTP traffic to the plug‑ins, typically satisfied for internet‑facing or otherwise accessible application servers. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, so the current prevalence of exploitation is uncertain. Nonetheless, the low attack complexity and lack of privileged access requirement raise the risk that an attacker could misuse the misinterpreted request boundaries to influence application behavior. The potential impact, while not explicitly defined in the advisory, could involve unintended request handling or inadvertent data exposure.

Generated by OpenCVE AI on May 26, 2026 at 21:05 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71342.  Web Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty): For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves  PH71342 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Web Server Plug-ins Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves  PH71342 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Web Server Plug-ins Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply the Web Server Plug‑ins interim fix that resolves PH71342 after upgrading to the minimal required fix pack level for your version.
  • Alternatively, apply Web Server Plug‑ins Fix Pack 9.0.5.28 or later for V9.x, or Fix Pack 8.5.5.30 or later for V8.5.x.
  • If immediate patching is not possible, restrict or filter inbound HTTP traffic using a web application firewall to block requests that could trigger request smuggling until the environment can be updated.

Generated by OpenCVE AI on May 26, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Ibm websphere Application Server
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:-:*:*:*
cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*
Vendors & Products Ibm websphere Application Server

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm web Server Plug-ins For Websphere Application Server And Websphere Liberty
Vendors & Products Ibm web Server Plug-ins For Websphere Application Server And Websphere Liberty

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins
First Time appeared Ibm
Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
Weaknesses CWE-444
CPEs cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Ibm Web Server Plug-ins For Websphere Application Server And Websphere Liberty Web Server Plug Ins For Websphere Application Server And Websphere Liberty Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T13:12:59.224Z

Reserved: 2026-05-14T18:19:54.491Z

Link: CVE-2026-8620

cve-icon Vulnrichment

Updated: 2026-05-27T13:12:54.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:56.350

Modified: 2026-06-02T18:40:34.260

Link: CVE-2026-8620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:09:04Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')