Description
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.
Published: 2026-06-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server versions 9.0 and 8.5 allow an identity spoofing vulnerability that can enable an attacker to impersonate legitimate users or system components, potentially leading to unauthorized access or manipulation of application data. The flaw exists within the authentication or identity verification components that fail to correctly validate the originating party, leaving the system susceptible to spoofed credentials. As a result, confidentiality, integrity, and availability of applications running on the affected servers can be compromised.

Affected Systems

The vulnerability affects IBM WebSphere Application Server for all supported releases in the ranges 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.28. Users should apply the interim fix identified as APAR PH71422 or upgrade to the latest fix pack, namely 9.0.5.29 or newer for the 9.x line, and 8.5.5.30 or newer for the 8.5.x line. This remediation path is documented by IBM and linked from their support pages.

Risk and Exploitability

The vulnerability is scored CVSS 9.1, indicating a very high severity level. EPSS data is not available, while the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector for this flaw is remote, as an attacker can impersonate legitimate entities over the network once credentials or identity tokens are presented to the server. Although explicit exploitation details are not provided, the flaw's nature suggests that an intruder with network access could leverage it to gain control over application functions that depend on trusted identities.

Generated by OpenCVE AI on June 1, 2026 at 20:37 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71422. For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71422 https://www.ibm.com/support/pages/node/7274652 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).  For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71422 https://www.ibm.com/support/pages/node/7274652 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Download and install the IBM interim fix PH71422 from the official support page for both 8.5 and 9.0 editions.
  • If the interim fix is unavailable, upgrade the affected server to Fix Pack 9.0.5.29 or later for V9 releases, or to Fix Pack 8.5.5.30 or later for V8.5 releases, which incorporate the necessary patch.
  • After applying the fix, perform application and identity‑verification tests to confirm that spoofed credential attempts are rejected and that legitimate authentication continues to function correctly.

Generated by OpenCVE AI on June 1, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:traditional:*:*:*

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.
Title IBM WebSphere Application Server is affected by an identity spoofing vulnerability
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-290
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Ibm Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-01T19:32:31.456Z

Reserved: 2026-05-14T20:28:37.520Z

Link: CVE-2026-8644

cve-icon Vulnrichment

Updated: 2026-06-01T19:32:26.307Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:55.097

Modified: 2026-06-04T16:58:19.927

Link: CVE-2026-8644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:30:12Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing