Skip to main content

WebSphere Application Server Liberty EUVDEUVD-2026-25131

| CVE-2026-3621 HIGH
Improper Privilege Management (CWE-269)
2026-04-22 ibm GHSA-r6x6-g36w-q7qm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:56 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 23:31 euvd
EUVD-2026-25131
Analysis Generated
Apr 22, 2026 - 23:31 vuln.today
Patch released
Apr 22, 2026 - 23:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 23:07 nvd
HIGH 7.5

DescriptionCVE.org

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.

AnalysisAI

Identity spoofing in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.4 allows authenticated attackers with low privileges to impersonate other users and escalate privileges when applications are deployed without proper authentication and authorization controls. The vulnerability requires high attack complexity and low-privilege credentials, but enables complete compromise of confidentiality, integrity, and availability within the application scope. CVSS 7.5 (High) reflects the significant impact once exploitation conditions are met. No public exploit identified at time of analysis, and vendor patch is available per IBM advisory.

Technical ContextAI

IBM WebSphere Application Server Liberty is a lightweight, composable Java EE application server. This vulnerability affects versions spanning nearly a decade of releases (17.0.0.3 through 26.0.0.4), indicating a long-standing architectural flaw in the identity management subsystem. The root cause is CWE-269 (Improper Privilege Management), suggesting the Liberty server fails to properly validate or enforce user identity claims when applications are deployed without explicit authentication and authorization configuration. This likely involves flaws in how Liberty handles default security contexts, session management, or identity assertion mechanisms when security constraints are not explicitly defined in application deployment descriptors (web.xml, server.xml). The vulnerability manifests specifically in deployment scenarios where developers rely on implicit security rather than explicit security configuration, a common pattern in development and testing environments that sometimes propagates to production.

RemediationAI

Apply vendor-released patch per IBM Security Bulletin available at https://www.ibm.com/support/pages/node/7270437, which provides specific fixed versions for affected Liberty release streams. IBM typically releases cumulative fix packs for supported Liberty versions - consult the advisory for exact fixed versions corresponding to your deployed major version (17.x, 18.x, through 26.x branches). As an immediate compensating control with minimal side effects, audit all deployed applications to ensure explicit authentication and authorization constraints are configured in web.xml (security-constraint, auth-constraint elements) and server.xml (application security configuration). This eliminates the vulnerable deployment condition entirely. For applications intentionally deployed without authentication (public-facing content, health check endpoints), isolate these to separate Liberty instances with network segmentation to prevent authenticated attackers from leveraging identity spoofing to access protected resources on the same server. Deploy web application firewall rules to enforce authentication at the perimeter for sensitive applications until patching is complete, though this adds latency and does not address server-side identity validation weaknesses. Review and harden Liberty security configuration following IBM's security hardening guides, particularly default authentication mechanisms and session management settings.

Share

EUVD-2026-25131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy