Description

IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.

Severity (CVSS)

Base score7.4
SeverityHigh
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Provided byCNA

Weaknesses

  • CWE-444 — CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

VendorProductVersions
IBMWebSphere Application Server9.0.0 to <=7.0.2 Interim Fix 035; 8.5.0 to <=7.0.3 Interim Fix 017
IBMWebSphere Application Server - Liberty17.0.0.3 to <=26.0.0.6

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 23 Jun 2026 10:05 UTC.