Description
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Published: 2026-06-22
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in IBM WebSphere Application Server and its Liberty edition allows a remote attacker to trigger a denial of service by sending a specially‑crafted request that causes the server to consume excessive memory resources. This flaw, classified as CWE‑400, results in degraded or unavailable service without allowing code execution or data exposure. The impact is a disruption of application availability for all users accessing the affected instance.

Affected Systems

Affected products include IBM WebSphere Application Server for versions 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.28, as well as the Liberty profile from 17.0.0.3 to 26.0.0.6. Users of these product families should verify their installed release and follow the vendor’s advice for interim fixes or newer fix packs.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the vulnerability is exploitable over the network by sending a crafted request—though no EPSS score is publicly available and the issue is not listed in the CISA KEV catalog. An attacker can cause service downtime by exhausting memory, potentially affecting multiple applications running on the same server. The mitigation is to apply the interim fix or an appropriate fix pack as recommended by IBM.

Generated by OpenCVE AI on June 22, 2026 at 17:05 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71631 and PH71370. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to  How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .  For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, or websocket-2.2 feature: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71631 https://www.ibm.com/support/pages/node/7276381 --OR-- · Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026). For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Identify which WebSphere version and edition you are running (traditional vs Liberty) and confirm it falls within the vulnerable ranges listed.
  • Download and install the IBM interim fix (PH71631 for Liberty or PH71370 for traditional) or apply the next available fix pack (Liberty 26.0.0.7+, traditional 9.0.5.29+ or 8.5.5.30+) as directed in the vendor advisory.
  • After applying the fix, restart the server and monitor memory usage to ensure the denial‑of‑service condition has been eliminated.

Generated by OpenCVE AI on June 22, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities
First Time appeared Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
Weaknesses CWE-400
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
Ibm websphere Application Server Liberty
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Websphere Application Server Websphere Application Server Liberty
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T16:05:22.609Z

Reserved: 2026-05-22T20:33:33.213Z

Link: CVE-2026-9320

cve-icon Vulnrichment

Updated: 2026-06-22T16:05:19.558Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:15:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption