CVE-2026-5516
Modified Modified - Updated After Analysis
IBM WebSphere Liberty Security Bypass Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: IBM Corporation

Description
IBM WebSphere Application Server - Liberty 22.0.0.11 through 26.0.0.5 IBM WebSphere Application Server Liberty could allow a remote attacker to bypass security under limited conditions by exploiting a specific timing window.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5516
EUVD
EUVD-2026-32487
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_application_server From 22.0.0.11 (inc) to 26.0.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects IBM WebSphere Application Server Liberty versions 22.0.0.11 through 26.0.0.5 when certain security features (appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0) are enabled.

It allows a remote attacker to bypass security by exploiting a specific timing window under limited conditions.

The vulnerability has a medium severity with a CVSS base score of 4.4.

Impact Analysis

This vulnerability could allow a remote attacker to bypass security controls in IBM WebSphere Application Server Liberty.

By exploiting the timing window, an attacker might gain unauthorized access or perform actions that should be restricted.

There are no known workarounds or mitigations currently, so the risk remains until the fix is applied.

IBM recommends applying an interim fix (APAR PH70798) or upgrading to Liberty Fix Pack 26.0.0.6 or later to mitigate this risk.

Detection Guidance

This vulnerability affects IBM WebSphere Application Server Liberty versions 22.0.0.11 through 26.0.0.5 when the appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0 feature is enabled.

To detect if your system is vulnerable, you should check if these specific appSecurity features are enabled in your Liberty server configuration.

IBM's documentation on checking Liberty features can guide you on how to verify enabled features, but no specific commands are provided in the available resources.

Mitigation Strategies

IBM strongly recommends applying an interim fix for APAR PH70798 or upgrading to Liberty Fix Pack 26.0.0.6 or later to address this vulnerability.

There are currently no known workarounds or mitigations other than applying the provided fixes.

Users are advised to apply these fixes promptly to mitigate the risk of a remote attacker bypassing security.

Compliance Impact

The provided information does not specify how the CVE-2026-5516 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart