Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
Published: 2026-05-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server 8.5 and 9.0 expose a flaw that allows remote code execution and denial of service when TLS mutual authentication is enabled. An attacker who can present a client certificate can trigger the vulnerability and run arbitrary code on the server, whereas the same configuration also permits the attacker to terminate the service, impacting availability. The vulnerability is classified as CWE‑94 (Code Injection).

Affected Systems

The affected product is IBM HTTP Server across the 8.5.x and 9.0.x series. The CVE applies to any deployment that includes TLS mutual authentication for client authentication. The mitigation guidance references IBM fix packs 8.5.5.30+ and 9.0.5.29+ or an interim fix. Versions 8.5.0 and higher, and 9.0.0 and higher, are included in the scope of the advisory.

Risk and Exploitability

The CVSS score of 8.1 categorises the risk as high. No EPSS score is available, and the vulnerability is not listed in CISA KEV, indicating no publicly known active exploits yet. The attack environment requires the possibility of initiating a TLS connection with mutual authentication; therefore the threat originates from a remote source that can provide a client certificate. The lack of explicit exploit code in the advisory suggests that the risk remains theoretical but substantial, emphasizing the need for prompt patching.

Generated by OpenCVE AI on May 26, 2026 at 19:43 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the IBM interim fix for APAR PH71265 or upgrade to fix pack 9.0.5.29+ for IBM HTTP Server V9 or 8.5.5.30+ for V8, following the vendor remediation schedule.
  • If the server is embedded in WebSphere Application Server, upgrade the WebSphere installation to the minimal fix pack levels required by the interim fix and then apply the fix, or directly elevate to the recommended fix pack version.
  • As a temporary measure, disable TLS mutual authentication or restrict it to a tightly controlled set of trusted client certificates, thereby reducing the attack surface until a formal patch is applied.

Generated by OpenCVE AI on May 26, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-94
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-28T03:55:43.422Z

Reserved: 2026-05-18T16:27:17.633Z

Link: CVE-2026-8855

cve-icon Vulnrichment

Updated: 2026-05-27T17:22:06.207Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:57.170

Modified: 2026-06-17T11:04:32.117

Link: CVE-2026-8855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:45:06Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')