Description
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Published: 2026-06-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote attacker can send a specially‑crafted request to IBM WebSphere Application Server or its Liberty variant, causing the server to consume excessive memory and leading to a denial of service; the weakness is uncontrolled resource consumption (CWE‑400).

Affected Systems

Affected versions include IBM WebSphere Application Server 9.0.0.0 through 9.0.5.28, IBM WebSphere Application Server 8.5.0.0 through 8.5.5.29, and IBM WebSphere Application Server – Liberty 17.0.0.3 through 26.0.0.6; patch levels 9.0.5.29+, 8.5.5.30+, and 26.0.0.7+ provide the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, EPSS is not available, and it is not listed in CISA KEV; the likely attack vector is remote via network, targeting the servlet or websocket interfaces, and applying the interim fix or upgrade mitigates the vulnerability.

Generated by OpenCVE AI on June 22, 2026 at 16:35 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71631 and PH71370. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to  How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, or websocket-2.2 feature: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71631 https://www.ibm.com/support/pages/node/7276381 --OR-- · Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026). For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Download and install the IBM interim fix that resolves APAR PH71631 for Liberty or PH71370 for traditional WebSphere from IBM support.
  • Upgrade the affected WebSphere installation to the latest applicable fix pack: 26.0.0.7 or later for Liberty, 9.0.5.29 or later for WebSphere 9, or 8.5.5.30 or later for WebSphere 8.5.
  • If the servlet or websocket features are unnecessary, disable them in the application server configuration to reduce the attack surface, following IBM’s feature determination guidance.

Generated by OpenCVE AI on June 22, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by Uncontrolled Resource Consumption
First Time appeared Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
Weaknesses CWE-400
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Websphere Application Server Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T14:49:28.915Z

Reserved: 2026-05-20T10:58:43.207Z

Link: CVE-2026-9071

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:45:16Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption