CVE-2026-8644

Vulnerability

IBM WebSphere Application Server versions 9.0 and 8.5 are affected by an identity spoofing vulnerability. This vulnerability allows an attacker to bypass authentication mechanisms. The specific conditions or configurations required for exploitation are not detailed in the available references.

Exploitation

An attacker can exploit this vulnerability without requiring any privileges or user interaction. The vulnerability is network-accessible, and the attack complexity is low, indicating that an attacker can exploit it remotely. The exact steps for exploitation are not disclosed in the provided references.

Impact

Successful exploitation of this vulnerability can lead to a high impact on confidentiality and integrity. An attacker can spoof identities, potentially leading to unauthorized access to sensitive information and the ability to modify data. The scope of the compromise is not explicitly stated but is implied to be significant given the nature of identity spoofing.

Mitigation

IBM recommends applying an interim fix or fix pack that contains the fix for APAR PH71422. For WebSphere Application Server traditional V9.0.0.0 through 9.0.5.28, upgrade to the minimal fix pack levels and apply the interim fix, or apply Fix Pack 9.0.5.29 or later (targeted for 3Q2026). For V8.5.0.0 through 8.5.5.29, upgrade to the minimal fix pack levels and apply the interim fix, or apply Fix Pack 8.5.5.30 or later (targeted for 3Q2026). No workarounds are available [1].