Skip to main content

IBM WebSphere Plug-ins EUVDEUVD-2026-31921

| CVE-2026-8620 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-05-26 ibm GHSA-qwgm-xj6f-w5v6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 10:29 vuln.today

DescriptionCVE.org

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.

AnalysisAI

HTTP request smuggling in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows remote unauthenticated attackers to send specially crafted requests that desynchronize front-end and back-end HTTP parsing. Successful exploitation enables cache poisoning, security control bypass, and limited disclosure or modification of data passing through the plug-in, with a CVSS 7.5 reflecting a Changed scope and high confidentiality impact. There is no public exploit identified at time of analysis, EPSS is low at 0.05% (15th percentile), and CISA SSVC marks exploitation status as none.

Technical ContextAI

The IBM Web Server Plug-ins act as a reverse-proxy bridge between front-end web servers (IHS, Apache, IIS) and back-end WebSphere Application Server or Liberty profiles, forwarding HTTP requests over the WebSphere transport. CWE-444 (Inconsistent Interpretation of HTTP Requests) covers HTTP Request Smuggling, where discrepancies in how two HTTP-handling components parse Content-Length, Transfer-Encoding, or request-line framing allow an attacker to inject a second 'smuggled' request boundary inside one TCP stream. The affected CPE cpe:2.3:a:ibm:web_server_plug-ins_for_websphere_application_server_and_websphere_liberty covers all versions through Interim Fix 002 per EUVD data, indicating the parsing inconsistency lives in the plug-in's request-forwarding logic between the front-end web server and the WebSphere container.

RemediationAI

Patch available per vendor advisory: apply the IBM-provided fix referenced at https://www.ibm.com/support/pages/node/7274072 to upgrade beyond Interim Fix 002 on both the 8.5 and 9.0 plug-in streams (exact fix-pack version is published in the IBM advisory and should be matched to your installed plug-in level). Because the plug-in is typically deployed on the front-end web server (IHS/Apache/IIS), update each web-server tier that hosts the plug-in, not just the WebSphere application servers behind it. If immediate patching is not possible, compensating controls include placing a strict HTTP-normalizing reverse proxy or WAF in front of the plug-in to reject ambiguous Content-Length/Transfer-Encoding combinations and pipelined requests (trade-off: may break legitimate clients that rely on keep-alive pipelining), disabling HTTP keep-alive between the front-end web server and back-end where feasible to neutralize smuggling at TCP boundaries (trade-off: noticeable latency and CPU overhead), and restricting plug-in exposure to trusted networks while monitoring for anomalous double Content-Length or conflicting framing headers.

Share

EUVD-2026-31921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy