HTTP Request Smuggling in IBM WebSphere App Server Plug-ins (8.5, 9.0)
CVE-2026-8620 Published on May 26, 2026
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
Vulnerability Analysis
CVE-2026-8620 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a HTTP Request Smuggling Vulnerability?
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.
CVE-2026-8620 has been classified to as a HTTP Request Smuggling vulnerability or weakness.
Products Associated with CVE-2026-8620
Want to know whenever a new CVE is published for IBM Web Server Plug Ins Websphere Application Server Websphere Liberty? stack.watch will email you.
Affected Versions
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty:- Version 8.5, 9.0, <= Interim Fix 002 is affected.