CVE-2026-11541 PUBLISHED

IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by HTTP request smuggling

Assigner: ibm
Reserved: 08.06.2026 Published: 30.06.2026 Updated: 01.07.2026

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.4

Product Status

Vendor IBM
Product WebSphere Application Server
Versions
  • Version 9.0 is affected
  • Version 8.5 is affected
Vendor IBM
Product WebSphere Application Server - Liberty
Versions
  • affected from 17.0.0.3 to 26.0.0.6 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71808 and PH71706. 

For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6:

· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71808 https://www.ibm.com/support/pages/node/7277460 --OR-- · Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026).

For IBM WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71706 https://www.ibm.com/support/pages/node/7277463 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). 

For V8.5.0.0 through 8.5.5.30: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71706 https://www.ibm.com/support/pages/node/7277463 --OR-- · Apply Fix Pack 8.5.5.31 or later (targeted availability 3Q2026). 

Additional interim fixes may be available and linked off the interim fix download page.

References

Problem Types

  • CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE