CVE-2026-8646
Undergoing Analysis Undergoing Analysis - In Progress
HTTP Request Smuggling in IBM WebSphere Application Server

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: IBM Corporation

Description
IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-8646
EUVD
EUVD-2026-38251
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ibm websphere_application_server 8.5
ibm websphere_application_server 9.0
ibm websphere_application_server_liberty to 26.0.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in IBM WebSphere Application Server and WebSphere Application Server Liberty allows attackers to bypass security controls, spoof identities, escalate privileges, and expose sensitive information.

Such impacts can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strong access controls.

However, the provided information does not explicitly mention compliance implications or specific regulatory impacts.

Executive Summary

CVE-2026-8646 is a vulnerability in IBM WebSphere Application Server and WebSphere Application Server Liberty that allows HTTP request smuggling.

This flaw enables a remote attacker to send specially crafted HTTP requests to the application server in a way that the server processes them incorrectly.

As a result, the attacker can bypass security controls, spoof identities, escalate privileges, and expose sensitive information.

Impact Analysis

This vulnerability can have serious impacts including:

  • Bypassing security controls, which may allow unauthorized access.
  • Spoofing identities, potentially impersonating legitimate users.
  • Escalating privileges, gaining higher access rights than intended.
  • Exposing sensitive information that should be protected.
Mitigation Strategies

IBM recommends upgrading to fix pack levels or applying interim fixes to address the issue.

No workarounds are currently available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart