IBM WebSphere: Eight Vulnerabilities Including DoS, SSRF, and RCE Disclosed Together

Key findings

• Eight vulnerabilities disclosed on June 22, 2026, affecting IBM WebSphere Application Server and Liberty profile.
• Vulnerabilities include Denial of Service, SSRF, HTTP Request Smuggling, Auth Bypass, and RCE.
• Affected products span WebSphere Application Server (9.0, 8.5), Liberty profile, and IBM i.
• Patches and updates are available; prompt application is recommended.
• Coordinated disclosure highlights critical security posture for WebSphere users.

On June 22, 2026, a batch of eight vulnerabilities was disclosed affecting IBM WebSphere Application Server and its Liberty profile. The vulnerabilities, disclosed within a five-hour window, span several critical security issues including denial of service (DoS), server-side request forgery (SSRF), HTTP request smuggling, authentication bypass, and remote code execution (RCE). These issues pose significant risks to organizations relying on WebSphere Application Server for their enterprise applications.

Several vulnerabilities fall under the category of denial of service. CVE-2026-10852, CVE-2026-9320, and CVE-2026-9071 specifically detail how specially crafted requests can lead to excessive memory consumption or server unresponsiveness. These DoS vulnerabilities affect various versions of WebSphere Application Server (9.0, 8.5) and WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6), and in some cases, IBM i operating systems (7.6, 7.5, 7.4, and 7.3) when using the WebSphere WebServer Plug-in.

HTTP request smuggling is another significant theme within this batch, addressed by CVE-2026-8646 and CVE-2026-9072. Attackers can exploit these flaws by sending crafted HTTP requests to smuggle malicious requests past security controls, potentially leading to security bypasses and identity spoofing. CVE-2026-8858 also highlights HTTP request smuggling in conjunction with denial of service and remote code execution vulnerabilities within the WebSphere Web Server Plug-in component.

Further compounding the risk, CVE-2026-9006 details a server-side request forgery (SSRF) vulnerability in WebSphere Application Server 9.0 and 8.5 when the Ajax Proxy is configured. This allows attackers to trick the server into making requests to internal or external resources, potentially leading to unauthorized access or information disclosure. Additionally, CVE-2026-10845 points to an authentication bypass vulnerability in WebSphere Application Server 8.5 and 9.0, enabling attackers to gain unauthorized access to JAX-WS applications.

The disclosure of these vulnerabilities on a single day highlights a coordinated effort to address multiple security weaknesses in IBM's WebSphere Application Server ecosystem. While specific exploitation details or threat actor information were not provided in the initial disclosures, the nature of these vulnerabilities, particularly RCE and SSRF, suggests a high potential for exploitation by sophisticated attackers.

IBM has released patches and updates to address these vulnerabilities. Users are strongly advised to consult IBM's official security advisories for detailed information on affected versions and the specific patches required. The affected versions range from WebSphere Application Server 8.5 and 9.0 to specific releases of WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) and IBM i operating systems. Prompt application of these updates is crucial to mitigate the risks associated with these security flaws.

This concentrated disclosure event underscores the importance of timely patching and security reviews for users of IBM WebSphere Application Server. Organizations should prioritize updating their systems to the latest secure versions to protect against potential attacks targeting these newly revealed weaknesses. Continuous monitoring and adherence to IBM's security guidance are recommended.