IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.
IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70352. IBM WebSphere Application Server Liberty is affected by identity spoofing only when the appSecurity feature (appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0) is not enabled on the server. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .
For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.4:
· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70352 https://www.ibm.com/support/pages/node/7270436
--OR--
· Apply Liberty Fix Pack 26.0.0.5 or later (targeted availability 2Q2026).
Additional interim fixes may be available and linked off the interim fix download page.