CVE-2026-11806 PUBLISHED

IBM WebSphere Application Server Liberty is affected by a an arbitrary file read vulnerability

Assigner: ibm
Reserved: 09.06.2026 Published: 30.06.2026 Updated: 01.07.2026

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.2

Product Status

Vendor IBM
Product WebSphere Application Server - Liberty
Versions
  • affected from 17.0.0.3 to 26.0.0.6 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71719. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 . 

For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the restConnector-2.0 feature:  · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71719 https://www.ibm.com/support/pages/node/7277433

--OR-- · Apply Liberty Fix Pack 26.0.0.7 or later (targeted availability 3Q2026). 

Additional interim fixes may be available and linked off the interim fix download page.

References

Problem Types

  • CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE