IBM HTTP Server 8.5/9.0 TLS Mutual Auth RCE
CVE-2026-8855 Published on May 26, 2026

IBM HTTP Server is affected by multiple vulnerabilities
IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-8855 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-8855 has been classified to as a Code Injection vulnerability or weakness.

Products Associated with CVE-2026-8855

Want to know whenever a new CVE is published for IBM Http Server? stack.watch will email you.

IBM Http Server

Affected Versions

IBM HTTP Server:

Version 8.5.0, <= Interim Fix 002 is affected.
Version 9.0 is affected.

IBM HTTP Server 8.5/9.0 TLS Mutual Auth RCECVE-2026-8855 Published on May 26, 2026

Vulnerability Analysis

Weakness Type

What is a Code Injection Vulnerability?

Products Associated with CVE-2026-8855

Affected Versions

IBM HTTP Server 8.5/9.0 TLS Mutual Auth RCE
CVE-2026-8855 Published on May 26, 2026