CVE-2026-8633

Vulnerability

A remote code execution vulnerability exists in the IBM Web Server Plug-ins component used with IBM WebSphere Application Server (traditional and Liberty) versions 8.5 and 9.0. The bug is triggered via a specially crafted HTTP request sent to the plug-in. All plug-in versions corresponding to the affected product versions (8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.27) are vulnerable [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to an affected Web Server Plug-in. No authentication or special network position beyond remote network access is required. The attack complexity is low, and no user interaction is necessary [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to achieve remote code execution on the system where the Web Server Plug-in is running, with the privileges of the plug-in process (typically a high-privilege account). This leads to full compromise of confidentiality, integrity, and availability [1].

Mitigation

IBM has identified APAR PH71342 as the fix. An interim fix is available for both V8.5 and V9.0. For V9.0, upgrade to a minimal fix pack level and then apply the interim fix, or upgrade to fix pack 9.0.5.28 or later (targeted for 2Q2026). For V8.5, upgrade to a minimal fix pack level and then apply the interim fix, or upgrade to fix pack 8.5.5.30 or later (targeted for 3Q2026). No workarounds are available [1].