CVE-2026-8620
HTTP Request Smuggling in IBM WebSphere Plug-ins
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | websphere_application_server | 8.5 |
| ibm | websphere_application_server | 9.0 |
| ibm | web_server_plug_ins | 8.5 |
| ibm | web_server_plug_ins | 9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8620 is a vulnerability in IBM WebSphere Application Server and WebSphere Application Server Liberty when using the optional Web Server Plug-ins component.
It allows HTTP request smuggling through specially crafted requests, enabling attackers to manipulate how requests are interpreted by the server.
How can this vulnerability impact me? :
This vulnerability has a high severity with a CVSS base score of 7.5.
It can impact confidentiality and integrity by allowing attackers to manipulate HTTP requests, potentially leading to unauthorized access or data manipulation.
What immediate steps should I take to mitigate this vulnerability?
IBM recommends applying interim fixes or future fix packs (9.0.5.28+ or 8.5.5.30+) to address the vulnerability in IBM WebSphere Application Server and WebSphere Application Server Liberty when using the Web Server Plug-ins component.
No workarounds are currently available, so applying the provided fixes is the immediate step to mitigate this vulnerability.