IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty affected
Version Status Constraints
8.5, 9.0 affected ≤ Interim Fix 002

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Ibm Subscribe
Web Server Plug Ins For Websphere Application Server And Websphere Liberty Subscribe
Advisories

No advisories yet.

Fixes

Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71342.  Web Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty): For V9.0.0.0 through 9.0.5.27: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves  PH71342 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Web Server Plug-ins Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).   For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves  PH71342 https://www.ibm.com/support/pages/node/7273976 --OR-- · Apply Web Server Plug-ins Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.

Workaround

No workaround given by the vendor.

References
Link Providers
https://www.ibm.com/support/pages/node/7274072 cve-icon cve-icon
History

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
Title IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins
First Time appeared Ibm
Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
Weaknesses CWE-444
CPEs cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm web Server Plug Ins For Websphere Application Server And Websphere Liberty
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T17:15:00.501Z

Reserved: 2026-05-14T18:19:54.491Z

Link: CVE-2026-8620

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T18:16:56.350

Modified: 2026-05-26T19:06:14.330

Link: CVE-2026-8620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses