CVE-2026-8646
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
IBM WebSphere Application Server versions 9.0 and 8.5 and IBM WebSphere Application Server - Liberty versions 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server, allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.
Risk Assessment
This vulnerability poses a significant risk to organizations, allowing attackers to bypass security mechanisms and gain access to sensitive data. This could lead to data breaches and violations of user privacy.
Recommendation
It is recommended to upgrade to the latest version of IBM WebSphere Application Server and implement additional security measures to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

