Skip to main content

IBM WebSphere Application Server CVE-2026-9006

| EUVDEUVD-2026-38252 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-22 ibm GHSA-57wv-8v6f-4353
9.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.2 HIGH

Network-reachable proxy, no auth or UI needed; high confidentiality via SSRF reads, but integrity impact via forged requests is realistically low, not high.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 20:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 20:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 20:52 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 20:52 NVD
HIGH CRITICAL
CVSS changed
Jun 23, 2026 - 20:52 NVD
7.4 (HIGH) 9.1 (CRITICAL)
Analysis Generated
Jun 22, 2026 - 16:03 vuln.today

DescriptionNVD

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may allow an attacker to send unauthorized requests from the system, resulting in a security bypass or information disclosure.

AnalysisAI

Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WebSphere host with Ajax Proxy
Delivery
Craft proxied request to internal target
Exploit
Submit to proxy servlet endpoint
Execution
WAS issues server-side request
Persist
Receive proxied response
Impact
Exfiltrate internal data or credentials

Vulnerability AssessmentAI

Exploitation The Ajax Proxy component must be explicitly configured and reachable on the target WebSphere instance - it is not enabled by default, so exposure is limited to deployments that have provisioned a proxy servlet (typically via proxy-config.xml) for cross-domain XHR support. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply on this CVE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the network sends an HTTP request to the WebSphere Ajax Proxy endpoint with a target URL pointing at an internal-only service (e.g., http://localhost:9080/admin, an internal Redis instance, or a cloud metadata endpoint). WAS forwards the request server-side and returns the response, leaking internal data, session tokens, or cloud IAM credentials to the attacker. …
Remediation Vendor-released patch: apply the Interim Fixes referenced in IBM advisory https://www.ibm.com/support/pages/node/7276600 - Interim Fix 017 for the 8.5 stream and Interim Fix 035 for the 9.0 stream - or upgrade to a Fix Pack that supersedes them. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WebSphere 8.5/9.0 deployments with Ajax Proxy enabled; disable the proxy where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

CVE-2026-9006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy