IBM WAS Liberty Arbitrary File Read via restConnector-2.0 (17.0.0.3-26.0.0.6)
CVE-2026-11806 Published on June 30, 2026

IBM WebSphere Application Server Liberty is affected by a an arbitrary file read vulnerability
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-11806 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2026-11806 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Products Associated with CVE-2026-11806

Want to know whenever a new CVE is published for IBM Websphere Application Server Liberty? stack.watch will email you.

 

Affected Versions

IBM WebSphere Application Server - Liberty: