CVE-2026-8620

Vulnerability

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 (plug-in versions 8.5 and 9.0) are vulnerable to HTTP request smuggling [1]. The vulnerability exists in the Web Server Plug-ins component due to improper handling of specially crafted HTTP requests, allowing an attacker to smuggle requests and cause request bypass or poisoning.

Exploitation

An attacker with network access to the affected web server can send a specially crafted HTTP request that exploits the discrepancy between how the plug-in and the backend server parse request boundaries [1]. No authentication is required for exploitation. The attack does not require user interaction and can be executed remotely.

Impact

Successful exploitation could allow the attacker to bypass security controls, poison the web cache, or redirect user requests to unintended endpoints, leading to potential information disclosure or session hijacking [1]. The impact is classified as HTTP request smuggling with a CVSS v3 base score of 7.5 (High).

Mitigation

IBM has addressed this vulnerability through APAR PH71342 [1]. For WebSphere V9.0.0.0 through 9.0.5.27, upgrade to minimal fix pack levels and apply the interim fix, or upgrade to Web Server Plug-ins Fix Pack 9.0.5.28 (targeted 2Q2026). For V8.5.0.0 through 8.5.5.29, upgrade to minimal fix pack levels and apply the interim fix, or upgrade to Fix Pack 8.5.5.30 (targeted 3Q2026). No workarounds are available [1].