CVE-2026-8644

IBM WebSphere Application Server is affected by an identity spoofing vulnerability

Assigner: ibm
Reserved: 14.05.2026 Published: 01.06.2026 Updated: 01.06.2026

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	IBM
Product	WebSphere Application Server
Versions	affected from 9.0 to 1.1.9.12 (incl.) Version 8.5 is affected

Vendor

IBM

Product

WebSphere Application Server

Versions

affected from 9.0 to 1.1.9.12 (incl.)
Version 8.5 is affected

Solutions

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71422.

For IBM WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71422 https://www.ibm.com/support/pages/node/7274652 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).

For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71422 https://www.ibm.com/support/pages/node/7274652 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).

Additional interim fixes may be available and linked off the interim fix download page.

References

Problem Types