Skip to main content

IBM WebSphere Liberty CVE-2026-11806

| EUVDEUVD-2026-40394 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-06-30 psirt@us.ibm.com GHSA-cxrq-p7xp-m9hw
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 HIGH

Network-reachable and unauthenticated (AV:N/PR:N), but request smuggling plus the required non-default restConnector-2.0 feature raise complexity to AC:H; impact is confidentiality-only (C:H, I:N, A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Updated
Jul 02, 2026 - 18:17 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:07 vuln.today
cvss_changed
CVSS changed
Jul 02, 2026 - 18:07 NVD
7.2 (HIGH) 7.5 (HIGH)
Analysis Generated
Jun 30, 2026 - 20:35 vuln.today

DescriptionNVD

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

AnalysisAI

Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Liberty restConnector endpoint
Delivery
Send ambiguously-framed HTTP request
Exploit
Trigger request-smuggling parse mismatch
Execution
Coerce server to read target file
Impact
Exfiltrate disclosed file contents

Vulnerability AssessmentAI

Exploitation The restConnector-2.0 feature must be enabled in the Liberty configuration (server.xml) and its administrative HTTPS endpoint must be network-reachable by the attacker - this is the exact, concrete prerequisite named in the vendor description and is not the default posture for many deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Liberty server's administrative REST endpoint sends a crafted, ambiguously-framed HTTP request that the front-end and back-end parse differently, smuggling a request that causes the server to return the contents of a file it should not disclose (for example configuration or credential material). No public exploit identified at time of analysis, and the target must have restConnector-2.0 enabled and network-reachable, so exploitation is opportunistic rather than automated.
Remediation Apply the fix described in IBM's advisory at https://www.ibm.com/support/pages/node/7277536; consult that page for the exact iFix or corrected fix pack, as no specific patched version string is present in the provided data - do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WebSphere Liberty instances running versions 17.0.0.3 through 26.0.0.6 and check which have the restConnector-2.0 feature enabled; disable the feature immediately if not operationally required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

CVE-2026-11806 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy