CVE-2026-9170

Vulnerability

IBM WebSphere Application Server and WebSphere Liberty, when using the optional Web Server Plug-ins, contain an improper input validation vulnerability in versions 8.5 and 9.0. This affects plug-in versions 8.5 and 9.0. The vulnerability allows an attacker to trigger a denial of service or potentially execute remote code by sending specially crafted input to the plug-in [1].

Exploitation

An unauthenticated attacker with network access to the Web Server Plug-in can send malicious requests. No special privileges or user interaction are required. The exact attack vector involves improper validation of input, which can be exploited to corrupt memory or cause unexpected behavior [1].

Impact

Successful exploitation can result in a denial of service, causing the plug-in to crash or become unresponsive, or potentially lead to remote code execution, allowing the attacker to take control of the affected system [1].

Mitigation

IBM has released interim fixes and fix packs that address the vulnerability (APAR PH71342). For V9.0.0.0 through 9.0.5.27, upgrade to the required fix pack level and apply the interim fix, or apply Fix Pack 9.0.5.28 or later (targeted 2Q2026). For V8.5.0.0 through 8.5.5.29, apply the interim fix or upgrade to Fix Pack 8.5.5.30 or later (targeted 3Q2026). No workarounds are available [1].