Skip to main content

IBM WebSphere Application Server CVE-2026-9320

| EUVDEUVD-2026-38254 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-22 ibm GHSA-j7mw-rcxc-j56c
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated HTTP request with no user interaction triggers memory exhaustion; availability-only impact, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 21:02 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 21:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 20:52 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 20:52 NVD
MEDIUM HIGH
CVSS changed
Jun 23, 2026 - 20:52 NVD
5.9 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Jun 22, 2026 - 16:07 vuln.today

DescriptionNVD

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.

AnalysisAI

Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WAS/Liberty endpoint
Delivery
Craft malicious HTTP request
Exploit
Send to vulnerable handler
Execution
Trigger unbounded memory allocation
Persist
Exhaust JVM heap
Impact
Server becomes unresponsive

Vulnerability AssessmentAI

Exploitation The target must be a reachable HTTP(S) endpoint served by IBM WebSphere Application Server 9.0 or 8.5 (traditional) or WebSphere Liberty 17.0.0.3-26.0.0.6, with the affected request-processing path exposed to the attacker; the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote, unauthenticated exploitation with no user interaction against default-reachable configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the network sends a specially-crafted HTTP request - or a small number of them - to an exposed WAS or Liberty endpoint. The vulnerable request handler allocates memory proportional to attacker-controlled input without bounds, growing the JVM heap until the server becomes unresponsive or the JVM terminates with OutOfMemoryError, taking the hosted applications offline. …
Remediation Vendor-released patch is available per the IBM advisory at https://www.ibm.com/support/pages/node/7276579 - apply the corresponding interim fix for your branch (post-7.0.2 IF035 for WAS 9.0, post-7.0.3 IF017 for WAS 8.5) and upgrade Liberty to a release beyond 26.0.0.6. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all IBM WebSphere Application Server instances (versions 9.0, 8.5, and Liberty 17.0.0.3-26.0.0.6) across the organization to determine exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

CVE-2026-9320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy