IBM HTTP Server: Eight CVEs Disclosed, Including Critical Unauthenticated RCE
IBM disclosed eight CVEs for HTTP Server 8.5 and 9.0 on May 26, including a Critical unauthenticated RCE bug and six High-severity flaws spanning buffer overflows, DoS, and mTLS-specific code execution.
Key findings
- One Critical (CVSS 9.8) unauthenticated RCE bug: CVE-2026-9170
- Two additional RCE-capable bugs: CVE-2026-8855 (mTLS) and CVE-2026-8834 (Admin Server)
- Five of the eight CVEs are denial-of-service flaws across core and optional modules
- CVE-2026-8855 only exploitable when TLS mutual authentication is enabled
- All eight CVEs affect IBM HTTP Server 8.5 and 9.0; fixes available from IBM Support
- No active exploitation reported as of the May 26 advisory date
IBM HTTP Server (IHS), the enterprise-grade web server that underpins many IBM WebSphere and traditional WebLogic deployments, became the subject of a coordinated security disclosure on May 26, 2026, when IBM published eight CVEs covering the 8.5 and 9.0 release lines. The batch spans a single hour of publication time and includes one Critical-severity flaw alongside six High-severity and one Medium-severity issue, making it one of the densest IHS advisories in recent years.
The most severe of the group is CVE-2026-9170, a Critical (CVSS 9.8) vulnerability that affects both IHS 8.5 and 9.0. While IBM's advisory does not detail the exact attack vector, the near-maximum CVSS score signals that the flaw is remotely exploitable without authentication and requires no user interaction — a combination that typically points to a memory-corruption or unauthenticated code-execution path in the server core. Administrators should treat this CVE as the highest-priority item in the batch.
A cluster of High-severity bugs target specific IHS modules and configuration modes. CVE-2026-8855 (CVSS 8.1) is notable because it enables both remote code execution and denial of service, but only in deployments where TLS mutual authentication (client certificates) is enabled. That constraint limits the attack surface to environments using mTLS — common in financial and government sectors — but for those users the risk is significant. CVE-2026-8834 (CVSS 8.0) is a buffer overflow reachable by a privileged user authenticated to the Administration Server, also leading to RCE or DoS. CVE-2026-8856 (CVSS 7.7) covers a DoS condition that requires write access to parts of the server configuration, meaning an attacker who already has some foothold on the host can crash the service.
Three additional High-severity CVEs are denial-of-service flaws tied to optional modules. CVE-2026-8854 (CVSS 7.5) affects mod_mem_cache, CVE-2026-8850 (CVSS 7.5) targets mod_ibm_upload, and CVE-2026-8835 (CVSS 7.3) is an invalid pointer dereference exploitable by a privileged Administration Server user that could leak sensitive information or crash the server. The sole Medium-severity entry, CVE-2026-8852 (CVSS 6.2), is a DoS in the optional mod_fastcgi module.
IBM has not reported any active exploitation of these CVEs in the wild as of the advisory date. However, the presence of a Critical unauthenticated RCE vector (CVE-2026-9170) and two additional RCE-capable bugs (CVE-2026-8855 and CVE-2026-8834) means the batch is likely to attract attention from both security researchers and threat actors targeting enterprise IBM infrastructure.
IBM has released fixes for all eight CVEs. The advisory covers IHS versions 8.5 and 9.0; administrators should consult the IBM Support Portal for the specific fix pack or interim fix that addresses each CVE. Because several of the High-severity bugs are module-specific, organizations that do not enable mod_mem_cache, mod_fastcgi, mod_ibm_upload, or TLS mutual authentication may have a reduced attack surface, but the Critical CVE-2026-9170 and the Administration Server bugs (CVE-2026-8834, CVE-2026-8835) apply regardless of optional module configuration.
For teams running IBM HTTP Server in production, this batch reinforces the importance of treating IHS as a first-class attack surface rather than a passive reverse proxy. The concentration of RCE and DoS bugs across both core and optional components means that a single unpatched module can become an entry point. Organizations should prioritize CVE-2026-9170 for immediate patching, followed by the mTLS-dependent CVE-2026-8855 and the Administration Server buffer overflow CVE-2026-8834.