Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable and unauthenticated (AV:N/PR:N), but request smuggling plus the required non-default restConnector-2.0 feature raise complexity to AC:H; impact is confidentiality-only (C:H, I:N, A:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionNVD
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.
AnalysisAI
Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The restConnector-2.0 feature must be enabled in the Liberty configuration (server.xml) and its administrative HTTPS endpoint must be network-reachable by the attacker - this is the exact, concrete prerequisite named in the vendor description and is not the default posture for many deployments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a Liberty server's administrative REST endpoint sends a crafted, ambiguously-framed HTTP request that the front-end and back-end parse differently, smuggling a request that causes the server to return the contents of a file it should not disclose (for example configuration or credential material). No public exploit identified at time of analysis, and the target must have restConnector-2.0 enabled and network-reachable, so exploitation is opportunistic rather than automated. |
| Remediation | Apply the fix described in IBM's advisory at https://www.ibm.com/support/pages/node/7277536; consult that page for the exact iFix or corrected fix pack, as no specific patched version string is present in the provided data - do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WebSphere Liberty instances running versions 17.0.0.3 through 26.0.0.6 and check which have the restConnector-2.0 feature enabled; disable the feature immediately if not operationally required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Websphere Application Server
View allIBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.
The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co
Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe
IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40394
GHSA-cxrq-p7xp-m9hw