Skip to main content

IBM WebSphere Plug-ins CVE-2026-9170

| EUVDEUVD-2026-31939 CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-05-26 ibm GHSA-q578-5vf7-89mr
9.8
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (ibm) · only source for this CVE.

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:31 vuln.today
Severity Changed
May 27, 2026 - 19:37 NVD
HIGH CRITICAL
CVSS changed
May 27, 2026 - 19:37 NVD
7.5 (HIGH) 9.8 (CRITICAL)

DescriptionCVE.org

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to denial of service and a potential remote code execution due to improper input validation.

AnalysisAI

Remote code execution and denial of service in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 stem from improper input validation (CWE-444 HTTP Request Smuggling). Unauthenticated network attackers can send crafted requests that desynchronize the plug-in's request parsing, potentially achieving full compromise of the application tier. No public exploit identified at time of analysis, and EPSS remains low (0.06%), but the vendor confirms a patch and CISA SSVC rates the technical impact as total with automatable exploitation.

Technical ContextAI

The IBM Web Server Plug-ins act as a bridge between front-end HTTP servers (IHS, Apache, IIS) and back-end WebSphere Application Server / Liberty instances, forwarding HTTP traffic via the WebSphere internal protocol. The CWE-444 classification (Inconsistent Interpretation of HTTP Requests, a.k.a. HTTP Request Smuggling) indicates the plug-in and the upstream HTTP server disagree on request boundaries - typically due to conflicting Content-Length / Transfer-Encoding handling or malformed header parsing. The affected CPE cpe:2.3:a:ibm:web_server_plug-ins_for_websphere_application_server_and_websphere_liberty covers all versions of the plug-in shipped alongside WebSphere 8.5 and 9.0, meaning the flaw lives in the request-forwarding layer rather than in application code running on Liberty.

RemediationAI

Patch available per vendor advisory - apply the IBM-issued interim fix for the Web Server Plug-ins documented at https://www.ibm.com/support/pages/node/7274072 and https://www.ibm.com/support/pages/node/7274065, matching the fix to your installed 8.5 or 9.0 stream (exact fix version is not stated in the available intelligence and must be confirmed against the IBM advisory). Until the plug-in binaries can be replaced and the fronting HTTP server restarted, compensating controls include placing a strict reverse proxy or WAF in front of the plug-in that normalizes HTTP/1.1 framing (rejecting requests with both Content-Length and Transfer-Encoding, or with malformed chunked encoding), disabling HTTP keep-alive on the plug-in upstream to prevent socket reuse across smuggled requests (trade-off: increased connection overhead), and restricting plug-in access to known front-end IPs via firewall rules. Avoid relying solely on detection signatures, since CWE-444 smuggling variants mutate easily.

Share

CVE-2026-9170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy