Skip to main content

IBM WebSphere CVE-2026-11541

| EUVDEUVD-2026-40413 CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-06-30 ibm GHSA-974x-wv37-rccw
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.9 HIGH

Network, unauthenticated, no user interaction, but a divergent front-end/back-end proxy pairing is needed (AC:H); smuggling yields high confidentiality and integrity impact with no direct availability effect (A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 02, 2026 - 18:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:07 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 18:07 NVD
HIGH CRITICAL
CVSS changed
Jul 02, 2026 - 18:07 NVD
7.4 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 22:00 vuln.today

DescriptionNVD

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

AnalysisAI

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify proxy-fronted WebSphere endpoint
Delivery
Craft request with conflicting CL/TE framing
Exploit
Desync front-end and back-end parsers
Execution
Smuggle hidden request into victim connection
Persist
Bypass auth or poison cache
Impact
Exfiltrate cross-user data

Vulnerability AssessmentAI

Exploitation Exploitation requires WebSphere Application Server 8.5/9.0 or Liberty 17.0.0.3-26.0.0.6 to be reachable over HTTP and, in practice, to sit behind an HTTP intermediary (reverse proxy, load balancer, CDN, or routing tier) whose request-boundary parsing diverges from WebSphere's - that architectural mismatch is the true prerequisite for a smuggling desync, even though the vendor vector lists PR:N/UI:N/AC:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and should be weighed rather than taken at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single crafted HTTP request with conflicting length/chunked-encoding headers to an internet-facing proxy or CDN fronting WebSphere; the proxy forwards it as one request while WebSphere parses a hidden second request, which is then prepended to the next legitimate user's traffic. This lets the attacker hijack another user's session, poison cached responses, or route the smuggled request past authentication controls. …
Remediation Patch available per IBM advisory (https://www.ibm.com/support/pages/node/7277550): apply the IBM-provided interim fix/iFix or fix pack for your specific WebSphere edition and release - for traditional WAS 8.5 and 9.0 install the recommended APAR/iFix, and for Liberty upgrade to the fixed release above 26.0.0.6 as directed by IBM (the exact fix version is specified on the IBM support node and is not reproduced here to avoid inventing a number). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory of all IBM WebSphere Application Server (8.5, 9.0) and WebSphere Liberty (17.0.0.3-26.0.0.6) deployments; identify which sit behind proxy/load balancer infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

CVE-2020-4450 CRITICAL
9.8 Jun 05

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

Share

CVE-2026-11541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy