CVE Catalog

CVE-2026-8646

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

25th percentile - higher than 25% of all known CVEs

Summary

IBM WebSphere Application Server versions 9.0 and 8.5 and IBM WebSphere Application Server - Liberty versions 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server, allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

Risk Assessment

This vulnerability poses a significant risk to organizations, allowing attackers to bypass security mechanisms and gain access to sensitive data. This could lead to data breaches and violations of user privacy.

Recommendation

It is recommended to upgrade to the latest version of IBM WebSphere Application Server and implement additional security measures to mitigate the risks associated with this vulnerability.

Original NVD description (English source)

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS