Skip to main content

IBM WebSphere Application Server CVE-2026-10845

| EUVDEUVD-2026-38288 HIGH
Improper Authentication (CWE-287)
2026-06-22 ibm GHSA-8fp2-p896-ch7x
7.3
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

Remote, no-auth bypass of JAX-WS authentication (AV:N/AC:L/PR:N/UI:N); impacts limited to what the affected JAX-WS apps expose, not full WAS compromise, so C/I/A:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 18:23 vuln.today
CVSS changed
Jun 22, 2026 - 18:23 NVD
7.3 (HIGH)
CVE Published
Jun 22, 2026 - 14:43 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.

AnalysisAI

Authentication bypass in IBM WebSphere Application Server 8.5 and 9.0 allows remote attackers to gain unauthorized access to JAX-WS web service applications without valid credentials. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed JAX-WS endpoint on WebSphere
Delivery
Send crafted SOAP request bypassing authentication
Exploit
JAX-WS engine processes request as trusted
Execution
Invoke protected web service operations
Impact
Read or modify application data

Vulnerability AssessmentAI

Exploitation The target must run IBM WebSphere Application Server 8.5.x or 9.0.x at a maintenance level below the IBM-issued interim fix referenced in advisory 7276597, and must have at least one JAX-WS application deployed and reachable by the attacker (vulnerability is scoped to JAX-WS applications per the IBM description, so installations without JAX-WS endpoints are not exposed via this vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N indicates remote, low-complexity, unauthenticated exploitation against any internet- or intranet-reachable JAX-WS endpoint, which is a serious exposure profile for enterprise middleware. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker who can reach a WebSphere-hosted JAX-WS endpoint (over the internet or from a compromised internal host) sends a crafted SOAP request that triggers the authentication bypass and is processed by the application as if it came from a legitimate authenticated principal. The attacker then invokes JAX-WS operations to read or manipulate the data and business functions the service exposes. …
Remediation Patch available per vendor advisory: apply the IBM-provided interim fix or fix pack referenced at https://www.ibm.com/support/pages/node/7276597 for both the 8.5.x and 9.0.x branches (EUVD references Interim Fix 035 on the 8.5 stream and Interim Fix 017 on the 9.0 stream - confirm the exact IFix identifier for your installed maintenance level with IBM Support before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running IBM WebSphere Application Server 8.5 or 9.0, particularly those exposed to networks or hosting mission-critical JAX-WS services. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

CVE-2026-10845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy