CVE-2026-10845

IBM WebSphere Application Server is affected by an authentication bypass vulnerability

Assigner: ibm
Reserved: 04.06.2026 Published: 22.06.2026 Updated: 22.06.2026

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.

Product Status

Vendor	IBM
Product	WebSphere Application Server
Versions	affected from 8.5.0 to 7.0.2 Interim Fix 035 (incl.) affected from 9.0.0 to 7.0.3 Interim Fix 017 (incl.)

Vendor

IBM

Product

WebSphere Application Server

Versions

affected from 8.5.0 to 7.0.2 Interim Fix 035 (incl.)
affected from 9.0.0 to 7.0.3 Interim Fix 017 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71648.

For IBM WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71648 https://www.ibm.com/support/pages/node/7276411 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).

For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71648 https://www.ibm.com/support/pages/node/7276411 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).

Additional interim fixes may be available and linked off the interim fix download page.

References

Problem Types

CWE-287 Improper Authentication CWE

CVE-2026-10845 PUBLISHED

IBM WebSphere Application Server is affected by an authentication bypass vulnerability

Product Status

Solutions

References

Problem Types