Skip to main content

IBM WebSphere Liberty CVE-2026-11714

| EUVDEUVD-2026-40395 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-30 psirt@us.ibm.com GHSA-2pmg-8j9g-3c72
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.2 CRITICAL

Unauthenticated network SSRF (AV:N/PR:N/UI:N) enables high confidentiality via internal reads and metadata theft; integrity is low and availability negligible, unlike the vendor's C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 02, 2026 - 18:15 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:07 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 18:07 NVD
HIGH CRITICAL
CVSS changed
Jul 02, 2026 - 18:07 NVD
8.5 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 20:35 vuln.today

DescriptionNVD

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.

AnalysisAI

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthenticated attackers coerce the server into issuing crafted requests to internal or external systems when the optional apiDiscovery-1.0 feature is enabled. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N), reflecting network-reachable, no-privilege exploitation, though no public exploit is identified at time of analysis and EPSS is low at 0.19% (8th percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Liberty host with apiDiscovery-1.0 enabled
Delivery
Send crafted unauthenticated request naming internal target
Exploit
Server issues attacker-controlled outbound request (SSRF)
Execution
Reach internal service or cloud metadata endpoint
Impact
Exfiltrate data or pivot into internal network

Vulnerability AssessmentAI

Exploitation The decisive prerequisite is that the apiDiscovery-1.0 feature is explicitly enabled in the Liberty server configuration (featureManager in server.xml); this feature is not part of a default Liberty server, so servers without it are not exploitable regardless of version. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and should be weighed together rather than acting on the 9.8 alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker identifies an internet-reachable Liberty server with apiDiscovery-1.0 enabled and submits a crafted request that causes the server to fetch an attacker-specified URL. The server issues that request from inside the network, letting the attacker probe internal-only services or retrieve cloud instance metadata credentials. …
Remediation Apply the fix from the IBM advisory at https://www.ibm.com/support/pages/node/7278580 (Patch available per vendor advisory; an exact fixed fix-pack version is not stated in the available data, so confirm the interim fix or fix pack level directly with IBM for your release). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all IBM WebSphere Application Server Liberty instances for versions 17.0.0.3-26.0.0.7; identify deployments with apiDiscovery-1.0 feature enabled and network accessibility. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

CVE-2020-4450 CRITICAL
9.8 Jun 05

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

Share

CVE-2026-11714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy