Skip to main content

IBM WebSphere Application Server EUVDEUVD-2026-33732

| CVE-2026-8644 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-06-01 ibm GHSA-6xwx-7ghh-j6w4
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 19:21 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.

AnalysisAI

Identity spoofing in IBM WebSphere Application Server 9.0 and 8.5 allows remote unauthenticated attackers to impersonate legitimate users or services, leading to high-impact compromise of integrity and availability of hosted applications. The CVSS 9.1 score reflects network-reachable exploitation with low complexity and no privileges required, while no public exploit identified at time of analysis. The flaw is tracked under CWE-290 (Authentication Bypass by Spoofing) and has a vendor-released patch referenced via IBM support.

Technical ContextAI

IBM WebSphere Application Server (WAS) is a Java EE / Jakarta EE application server widely deployed in large enterprises to host mission-critical web applications, SOAP/REST services, and middleware integrations. The CPE cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:* covers all editions (Base, Network Deployment, Liberty traditional profile) within the affected 8.5 and 9.0 release trains. CWE-290 (Authentication Bypass by Spoofing) indicates the product trusts an identity assertion - typically a token, header, certificate, or principal claim - without sufficiently validating its authenticity, allowing an attacker to present a forged identity that downstream authorization logic accepts as legitimate.

RemediationAI

Patch available per vendor advisory - apply the IBM-supplied interim fix or fix pack documented at https://www.ibm.com/support/pages/node/7274740 for the 9.0 and 8.5 release streams, following IBM's standard procedure of taking a configuration backup, applying via Installation Manager (traditional) or the appropriate Liberty update mechanism, and restarting affected JVMs. Where immediate patching is not feasible, compensating controls include placing WAS endpoints behind an authenticating reverse proxy or WAF that performs independent identity verification before requests reach the application server, restricting network reachability of administrative and SOAP/REST endpoints to known management subnets, and tightening trust-association interceptor (TAI), SAML, and LTPA configurations to reject unsigned or weakly-validated identity assertions; note that reverse-proxy enforcement only mitigates externally-reachable paths and does not protect against attackers already inside the network perimeter.

Share

EUVD-2026-33732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy