CVE-2026-11546 PUBLISHED

IBM WebSphere Application Server Liberty is affected by a server-side request forgery vulnerability

Assigner: ibm
Reserved: 08.06.2026 Published: 30.06.2026 Updated: 30.06.2026

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
CVSS Score: 7.1

Product Status

Vendor IBM
Product WebSphere Application Server - Liberty
Versions
  • affected from 17.0.0.3 to 26.0.0.7 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71841. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 . 

For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.7 using the adminCenter-1.0 feature:  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71841 https://www.ibm.com/support/pages/node/7278379 --OR-- · Apply Liberty Fix Pack 26.0.0.8 or later (targeted availability 3Q2026). 

Additional interim fixes may be available and linked off the interim fix download page.

References

Problem Types

  • CWE-918 Server-Side Request Forgery (SSRF) CWE