Skip to main content

WebSphere Liberty CVE-2026-5516

| EUVDEUVD-2026-32487 MEDIUM
Race Condition (CWE-362)
2026-05-27 psirt@us.ibm.com GHSA-gccj-9cv3-fp5p
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:20 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server - Liberty 22.0.0.11 through 26.0.0.5 IBM WebSphere Application Server Liberty could allow a remote attacker to bypass security under limited conditions by exploiting a specific timing window.

AnalysisAI

Security bypass via race condition in IBM WebSphere Application Server Liberty 22.0.0.11 through 26.0.0.5 allows a remote, highly-privileged attacker to circumvent access controls during a narrow timing window, resulting in high-confidentiality-impact data exposure. The CVSS vector confirms network-based exploitation requiring high privileges and high attack complexity, constraining real-world risk significantly. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

IBM WebSphere Application Server Liberty is a lightweight Java EE/Jakarta EE application server. The vulnerability is a classic time-of-check/time-of-use (TOCTOU) or race-condition class of flaw - the description explicitly references 'a specific timing window' during which a security enforcement mechanism can be bypassed. No CWE has been formally assigned, but the behavior aligns with CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) or CWE-367 (TOCTOU Race Condition). The affected CPE range covers Liberty versions from 22.0.0.11 up to and including 26.0.0.5, a roughly four-year release span. The S:U (unchanged scope) CVSS component indicates the impact is confined to the Liberty application server process itself rather than escaping to the underlying OS or adjacent systems.

RemediationAI

The primary remediation is to apply the IBM-issued fix referenced in the vendor advisory at https://www.ibm.com/support/pages/node/7273425. An exact patched version number was not independently confirmed from the available input data - consult the IBM support page directly for the specific fix pack or interim fix designation. As a compensating control while patching is scheduled, restrict high-privilege Liberty account access to the minimum set of trusted administrators, since PR:H means exploitation requires a high-privilege session - reducing the number of accounts with that privilege level directly narrows the attack surface. Additionally, network-layer controls that limit which hosts can authenticate to the Liberty administrative interface reduce exposure for AC:H network-vector attacks. Monitoring for anomalous authentication events or unexpected data access by privileged accounts can serve as a detective control. No side effects of the vendor patch are known from available data.

Share

CVE-2026-5516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy