Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.
AnalysisAI
Identity spoofing in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.4 allows authenticated attackers with low privileges to impersonate other users and escalate privileges when applications are deployed without proper authentication and authorization controls. The vulnerability requires high attack complexity and low-privilege credentials, but enables complete compromise of confidentiality, integrity, and availability within the application scope. CVSS 7.5 (High) reflects the significant impact once exploitation conditions are met. No public exploit identified at time of analysis, and vendor patch is available per IBM advisory.
Technical ContextAI
IBM WebSphere Application Server Liberty is a lightweight, composable Java EE application server. This vulnerability affects versions spanning nearly a decade of releases (17.0.0.3 through 26.0.0.4), indicating a long-standing architectural flaw in the identity management subsystem. The root cause is CWE-269 (Improper Privilege Management), suggesting the Liberty server fails to properly validate or enforce user identity claims when applications are deployed without explicit authentication and authorization configuration. This likely involves flaws in how Liberty handles default security contexts, session management, or identity assertion mechanisms when security constraints are not explicitly defined in application deployment descriptors (web.xml, server.xml). The vulnerability manifests specifically in deployment scenarios where developers rely on implicit security rather than explicit security configuration, a common pattern in development and testing environments that sometimes propagates to production.
RemediationAI
Apply vendor-released patch per IBM Security Bulletin available at https://www.ibm.com/support/pages/node/7270437, which provides specific fixed versions for affected Liberty release streams. IBM typically releases cumulative fix packs for supported Liberty versions - consult the advisory for exact fixed versions corresponding to your deployed major version (17.x, 18.x, through 26.x branches). As an immediate compensating control with minimal side effects, audit all deployed applications to ensure explicit authentication and authorization constraints are configured in web.xml (security-constraint, auth-constraint elements) and server.xml (application security configuration). This eliminates the vulnerable deployment condition entirely. For applications intentionally deployed without authentication (public-facing content, health check endpoints), isolate these to separate Liberty instances with network segmentation to prevent authenticated attackers from leveraging identity spoofing to access protected resources on the same server. Deploy web application firewall rules to enforce authentication at the perimeter for sensitive applications until patching is complete, though this adds latency and does not address server-side identity validation weaknesses. Review and harden Liberty security configuration following IBM's security hardening guides, particularly default authentication mechanisms and session management settings.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25131
GHSA-r6x6-g36w-q7qm