CVE-2026-8644
Identity Spoofing in IBM WebSphere Application Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | websphere_application_server | From 9.0.0.0 (inc) to 9.0.5.28 (inc) |
| ibm | websphere_application_server | From 8.5.0.0 (inc) to 8.5.5.29 (inc) |
| ibm | websphere_application_server | 9.0 |
| ibm | websphere_application_server | 8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8644 is an identity spoofing vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5.
This vulnerability allows attackers to bypass authentication mechanisms, effectively impersonating legitimate users or identities.
It is classified under CWE-290 (Authentication Bypass by Spoofing) and has a critical severity with a CVSS base score of 9.1.
How can this vulnerability impact me? :
The vulnerability can allow attackers to gain unauthorized access to the system by bypassing authentication.
This unauthorized access can lead to high impact on integrity and availability of the system, as indicated by the CVSS vector (I:H/A:H).
Attackers could potentially manipulate data or disrupt services within the affected IBM WebSphere Application Server environment.
What immediate steps should I take to mitigate this vulnerability?
IBM recommends applying an interim fix for APAR PH71422 or upgrading to specific fix packs to address the vulnerability.
- For IBM WebSphere Application Server version 9.0.0.0 through 9.0.5.28, apply the interim fix or upgrade to Fix Pack 9.0.5.29 or later.
- For version 8.5.0.0 through 8.5.5.29, apply the interim fix or upgrade to Fix Pack 8.5.5.30 or later.
No workarounds or mitigations are currently available, so applying the fixes or upgrades is the immediate recommended action.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The identity spoofing vulnerability in IBM WebSphere Application Server allows attackers to bypass authentication mechanisms and potentially gain unauthorized access to the system.
Such unauthorized access can lead to exposure or manipulation of sensitive data, which may result in non-compliance with data protection regulations and standards like GDPR and HIPAA that require strict access controls and protection of personal and health information.
Therefore, this vulnerability poses a significant risk to compliance with these regulations if not promptly addressed.