CVE-2026-3621
Identity Spoofing in IBM WebSphere Liberty Without Auth Configuration
Publication date: 2026-04-23
Last updated on: 2026-04-23
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | websphere_application_server_liberty | From 17.0.0.3 (inc) to 26.0.0.4 (inc) |
| ibm | websphere_application_server_liberty | From 1.0 (inc) to 5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can be exploited remotely and has a high impact on confidentiality, integrity, and availability of the affected system.
- Confidentiality: An attacker could gain unauthorized access to sensitive information by spoofing identities.
- Integrity: The attacker could alter data or system states by impersonating legitimate users.
- Availability: The attacker might disrupt services or cause denial of service by exploiting the vulnerability.
However, exploitation requires that the application is deployed without authentication and authorization configured and that the appSecurity feature is not enabled, which are limited conditions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when an application is deployed without authentication and authorization configured, specifically when the appSecurity feature (versions appSecurity-1.0 through appSecurity-5.0) is not enabled on the IBM WebSphere Application Server Liberty.
To detect this vulnerability on your system, you should verify whether the appSecurity feature is enabled on your Liberty server. IBM documentation provides guidance on determining which Liberty features are in use.
No specific commands are provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
IBM recommends remediation by applying an interim fix or fix pack containing the fix for APAR PH70352.
Users should either upgrade to the minimal fix pack levels required by the interim fix and then apply the interim fix or directly apply Liberty Fix Pack 26.0.0.5 or later, which is targeted for availability in the second quarter of 2026.
No workarounds or mitigations other than applying the fix are provided.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows identity spoofing under limited conditions when authentication and authorization are not configured, potentially leading to improper privilege management.
This can have a high impact on confidentiality, integrity, and availability of data, which are critical aspects of compliance with standards such as GDPR and HIPAA.
However, the provided information does not explicitly state how this vulnerability affects compliance with these regulations.
Can you explain this vulnerability to me?
IBM WebSphere Application Server Liberty is vulnerable to an identity spoofing issue identified as CVE-2026-3621. This vulnerability occurs under limited conditions when an application is deployed without authentication and authorization configured, specifically when the appSecurity feature (versions appSecurity-1.0 through appSecurity-5.0) is not enabled on the server.
The vulnerability is classified under CWE-269: Improper Privilege Management, meaning it allows an attacker to spoof identities and potentially gain unauthorized access or privileges.
It affects IBM WebSphere Application Server Liberty versions from 17.0.0.3 through 26.0.0.4.