← Back
2026-06-22 14:44CVE-2026-8646ibm
PUBLISHED5.2ApplicationCWE-444

IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

Problem type

Affected products

IBM

WebSphere Application Server

<= 7.0.2 Interim Fix 035 - AFFECTED

<= 7.0.3 Interim Fix 017 - AFFECTED

WebSphere Application Server - Liberty

<= 26.0.0.6 - AFFECTED

References

ibm.com

https://www.ibm.com/support/pages/node/7276579

vendor-advisorypatch

GitHub Security Advisories

GHSA-gmfx-j9mc-3x8v

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0...

https://github.com/advisories/GHSA-gmfx-j9mc-3x8v

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-8646

ibm.com

https://www.ibm.com/support/pages/node/7276579

github.com

https://github.com/advisories/GHSA-gmfx-j9mc-3x8v

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-8646
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-8646",
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "dateUpdated": "2026-06-22T15:58:37.275Z",
    "dateReserved": "2026-05-14T20:38:35.335Z",
    "datePublished": "2026-06-22T14:44:42.460Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm",
        "dateUpdated": "2026-06-22T14:44:42.460Z"
      },
      "title": "IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "IBM",
          "product": "WebSphere Application Server",
          "cpes": [
            "cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*"
          ],
          "versions": [
            {
              "version": "9.0.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "7.0.2 Interim Fix 035"
            },
            {
              "version": "8.5.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "7.0.3 Interim Fix 017"
            }
          ]
        },
        {
          "vendor": "IBM",
          "product": "WebSphere Application Server - Liberty",
          "cpes": [
            "cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.6:*:*:*:*:*:*:*"
          ],
          "versions": [
            {
              "version": "17.0.0.3",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "26.0.0.6"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
              "cweId": "CWE-444",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.ibm.com/support/pages/node/7276579",
          "tags": [
            "vendor-advisory",
            "patch"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "HIGH",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71631 and PH71370. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to  How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 . \n\n\n\nFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, or websocket-2.2 feature:\n\n\n\n· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves  PH71631 https://www.ibm.com/support/pages/node/7276381 \n--OR--\n· Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026).\n\n\n\n\n\nFor IBM WebSphere Application Server traditional:\n\n\n\nFor V9.0.0.0 through 9.0.5.28:\n· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves  PH71370 https://www.ibm.com/support/pages/node/7276399 \n--OR--\n· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).  \n\n\n\nFor V8.5.0.0 through 8.5.5.29:\n· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves  PH71370 https://www.ibm.com/support/pages/node/7276399 \n--OR--\n· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\n\n\n\n\n\n\n\nAdditional interim fixes may be available and linked off the interim fix download page.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71631 and PH71370. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to&nbsp;<a href=\"https://www.ibm.com/support/pages/node/6553910\" rel=\"nofollow\">How to determine if Liberty is using a specific feature</a>.&nbsp;</p><div><p><strong>For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, or websocket-2.2 feature:</strong></p><p>· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7276381\" rel=\"nofollow\">PH71631</a><br>--OR--<br>· Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026).</p></div><p><strong>For IBM WebSphere Application Server traditional:</strong></p><p><strong>For V9.0.0.0 through 9.0.5.28:</strong><br>· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7276399\" rel=\"nofollow\">PH71370</a><br>--OR--<br>· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).&nbsp;&nbsp;</p><p><strong>For V8.5.0.0 through 8.5.5.29:</strong><br>· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7276399\" rel=\"nofollow\">PH71370</a><br>--OR--<br>· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).</p><p></p><p>Additional interim fixes may be available and linked off the interim fix download page.</p>"
            }
          ]
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-06-22T15:58:37.275Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}