Skip to main content

IBM WebSphere EUVDEUVD-2026-38251

| CVE-2026-8646 CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-06-22 ibm GHSA-gmfx-j9mc-3x8v
9.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.7 CRITICAL

Network-reachable and unauthenticated, but AC:H because exploitation depends on a desynchronizing upstream proxy; scope changes to affect other users' sessions, with high C/I and no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 20:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 20:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 20:52 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 20:52 NVD
HIGH CRITICAL
CVSS changed
Jun 23, 2026 - 20:52 NVD
7.4 (HIGH) 9.1 (CRITICAL)
Analysis Generated
Jun 22, 2026 - 16:03 vuln.today

DescriptionNVD

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

AnalysisAI

HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WebSphere behind shared proxy
Delivery
Craft ambiguous TE/CL request
Exploit
Send smuggled request over keep-alive
Execution
Desync front-end and Liberty parser
Persist
Hijack adjacent user session
Impact
Bypass auth and exfiltrate data

Vulnerability AssessmentAI

Exploitation No special authentication or user interaction is required (CVSS AV:N/AC:L/PR:N/UI:N), and any reachable WebSphere 8.5/9.0 or Liberty 17.0.0.3-26.0.0.6 HTTP listener on a vulnerable build is in scope. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:N, 9.1 Critical) describes a low-complexity, unauthenticated, network-reachable flaw with high confidentiality and integrity impact - consistent with how request smuggling is typically weaponized to bypass auth front-ends and view or modify other users' traffic. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet sends a single HTTP request containing conflicting Content-Length and Transfer-Encoding headers to a WebSphere Liberty endpoint sitting behind a shared reverse proxy. The front-end forwards what it considers one request, but WebSphere parses a second smuggled request hidden in the body, which then executes in the context of the next legitimate user's connection - letting the attacker capture session cookies, bypass authentication checks performed at the proxy, or impersonate authenticated users. …
Remediation Patch available per vendor advisory - apply the IBM-provided interim fixes for traditional WebSphere 8.5 and 9.0 and upgrade Liberty beyond 26.0.0.6 as instructed at https://www.ibm.com/support/pages/node/7276579 (also see https://nvd.nist.gov/vuln/detail/CVE-2026-8646 and https://vuldb.com/vuln/372713). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running IBM WebSphere Application Server 8.5, 9.0, or Liberty versions 17.0.0.3 through 26.0.0.6 and restrict network access to affected instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4279 CRITICAL POC
9.8 May 17

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with

CVE-2015-1920 CRITICAL
10.0 May 20

IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.

CVE-2013-1777 CRITICAL
10.0 Jul 11

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co

CVE-2012-5955 CRITICAL
10.0 Dec 20

Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows

CVE-2018-1770 MEDIUM POC
6.5 Oct 12

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys

CVE-2016-5983 HIGH
7.5 Oct 05

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2

CVE-2013-0462 CRITICAL
10.0 Jan 27

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i

CVE-2026-11541 CRITICAL
9.8 Jun 30

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr

CVE-2026-11546 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen

CVE-2026-11714 CRITICAL
9.8 Jun 30

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe

CVE-2023-23477 CRITICAL
9.8 Feb 03

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the

CVE-2020-4589 CRITICAL
9.8 Aug 13

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s

Share

EUVD-2026-38251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy