Description
IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.
Published: 2026-06-22
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server and its Liberty profile are vulnerable to HTTP request smuggling, a technique that allows an attacker to send a maliciously crafted request that the server misinterprets. The misinterpretation of request boundaries can lead the server to bypass configured security controls, spoof user identities, elevate privileges, and reveal sensitive data. The weakness is classified as CWE‑444, reflecting improper handling of request parsing.

Affected Systems

The affected products are IBM WebSphere Application Server versions 8.5.0 through 8.5.5.29, 9.0.0 through 9.0.5.28, and the Liberty profile from 17.0.0.3 through 26.0.0.6. Vulnerability applies to servlet and websocket features listed in the advisory.

Risk and Exploitability

With a CVSS score of 7.4, the vulnerability is considered high severity. Exploitation can occur over the network via standard HTTP traffic and does not require local access. The EPSS score is not provided, and the vulnerability is not currently in the CISA Known Exploited Vulnerabilities catalog. Because the attack vector is remote, any system exposed to the public or hostile network can potentially be affected if it runs one of the listed product versions.

Generated by OpenCVE AI on June 22, 2026 at 16:27 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71631 and PH71370. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to  How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, or websocket-2.2 feature: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71631 https://www.ibm.com/support/pages/node/7276381 --OR-- · Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026). For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply IBM Interim Fix PH71631 for Liberty or upgrade Liberty to Fix Pack 26.0.0.7 or later
  • Apply IBM Interim Fix PH71370 for traditional WebSphere Application Server or upgrade to Fix Pack 9.0.5.29 or later
  • Upgrade WebSphere Application Server 8.5 to Fix Pack 8.5.5.30 or later

Generated by OpenCVE AI on June 22, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities
First Time appeared Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
Weaknesses CWE-444
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Ibm Websphere Application Server Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T15:58:37.275Z

Reserved: 2026-05-14T20:38:35.335Z

Link: CVE-2026-8646

cve-icon Vulnrichment

Updated: 2026-06-22T15:58:32.808Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')