IBM WebSphere Application Server 9.0 and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to HTTP request smuggling. A remote attacker could smuggle a specially crafted request to the application server thereby allowing the attacker to bypass security controls, spoof identity, escalate privilege, and expose sensitive information.
IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71631 and PH71370. To determine if a feature is enabled for WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 .
For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.6 using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, or websocket-2.2 feature:
· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71631 https://www.ibm.com/support/pages/node/7276381
--OR--
· Apply Fix Pack 26.0.0.7 or later (targeted availability 3Q2026).
For IBM WebSphere Application Server traditional:
For V9.0.0.0 through 9.0.5.28:
· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399
--OR--
· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).
For V8.5.0.0 through 8.5.5.29:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix that resolves PH71370 https://www.ibm.com/support/pages/node/7276399
--OR--
· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).
Additional interim fixes may be available and linked off the interim fix download page.