CVE-2026-11806
Received Received - Intake

Arbitrary File Read in IBM WebSphere Liberty

Vulnerability report for CVE-2026-11806, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_application_server_liberty From 17.0.0.3 (inc) to 26.0.0.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

IBM recommends applying an interim fix for APAR PH71719 or upgrading to Liberty Fix Pack 26.0.0.7 or later to mitigate this vulnerability.

Currently, there are no workarounds available, so applying the fix or upgrade is the immediate step to reduce risk.

Additionally, users should check if the restConnector-2.0 feature is enabled and take action accordingly.

Executive Summary

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.6 are affected by an arbitrary file read vulnerability when the restConnector-2.0 feature is enabled.

This vulnerability is related to CWE-444, which involves inconsistent interpretation of HTTP requests, allowing an attacker to read arbitrary files on the system.

The issue has a high severity with a CVSS base score of 7.2.

Impact Analysis

This vulnerability allows an attacker to read arbitrary files on the affected system, potentially exposing sensitive information.

Because the vulnerability has high impact on confidentiality, integrity, and availability (all rated high in the CVSS vector), it can lead to significant security risks including data breaches and system compromise.

Detection Guidance

To detect this vulnerability, you should first verify if the restConnector-2.0 feature is enabled on your IBM WebSphere Application Server Liberty installation, as the vulnerability only affects systems with this feature enabled.

No specific detection commands or network scanning techniques are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11806. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart