CVE-2026-11541
Received Received - Intake

HTTP Request Smuggling in IBM WebSphere

Vulnerability report for CVE-2026-11541, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
ibm websphere_application_server 9.0
ibm websphere_application_server 8.5
ibm websphere_application_server_liberty to 26.0.0.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an HTTP request smuggling issue affecting IBM WebSphere Application Server versions 9.0, 8.5, and IBM WebSphere Application Server - Liberty versions 17.0.0.3 through 26.0.0.6.

HTTP request smuggling occurs when an attacker exploits inconsistencies in the way different web servers or proxies process HTTP requests, allowing them to send a crafted request that is interpreted differently by the front-end and back-end servers.

Impact Analysis

This vulnerability can have a significant impact as it allows an attacker to bypass security controls by smuggling malicious HTTP requests.

  • Confidentiality impact: High (the attacker may gain unauthorized access to sensitive information).
  • Integrity impact: High (the attacker may alter or inject malicious data).
  • Availability impact: None (the vulnerability does not directly affect system availability).

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart