ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-8620 HTTP Request Smuggling in IBM WebSphere Web Server Plug-ins

A short review of CVE-2026-8620, a high severity HTTP request smuggling vulnerability in IBM Web Server Plug-ins for WebSphere Application Server and Liberty, including patch details and its relationship to a companion CVSS 9.8 RCE flaw in the same component.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-26

Brief Summary: CVE-2026-8620 HTTP Request Smuggling in IBM WebSphere Web Server Plug-ins
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A newly disclosed HTTP request smuggling flaw in IBM's Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty allows a remote, unauthenticated attacker to slip crafted requests past the plug-in layer and into the back-end application server, achieving high confidentiality impact across security boundaries. What makes this disclosure particularly urgent is that it shares an advisory with CVE-2026-8633, a CVSS 9.8 remote code execution vulnerability in the same plug-in component, and IBM has confirmed that no workarounds exist for either issue.

Technical Information

Root Cause: Inconsistent HTTP Request Parsing (CWE-444)

CVE-2026-8620 falls under CWE-444: Inconsistent Interpretation of HTTP Requests, commonly known as HTTP Request Smuggling. The vulnerability resides in the IBM Web Server Plug-ins, which serve as the intermediary layer between front-end web servers (such as Apache HTTP Server, IBM HTTP Server, or Microsoft IIS) and the back-end WebSphere Application Server or WebSphere Liberty runtime. The plug-in's role is to receive HTTP requests from the front-end server and forward them to the appropriate back-end application server instance.

The core issue is that the plug-in does not interpret malformed or ambiguous HTTP requests in the same way as the destination application server. When an HTTP message contains conflicting or duplicate Transfer-Encoding (TE) and Content-Length (CL) headers, the plug-in and the back-end server may disagree on where one request ends and the next begins. This disagreement is the foundation of HTTP request smuggling.

Smuggling Techniques

Two primary smuggling patterns are relevant to this class of vulnerability:

TechniqueMechanismFront-End (Plug-in) InterpretationBack-End (App Server) Interpretation
CL.TEBoth CL and TE headers present; front-end uses CL, back-end uses TEDetermines request boundary by Content-LengthDetermines request boundary by Transfer-Encoding: chunked
TE.CLBoth TE and CL headers present; front-end uses TE, back-end uses CLDetermines request boundary by chunked encodingDetermines request boundary by Content-Length

In both cases, the attacker embeds a second, hidden HTTP request within what the plug-in treats as a single legitimate request. The back-end application server, interpreting the request boundaries differently, processes the smuggled request as a separate, independent request. This smuggled request inherits the security context and trust level of the front-end connection.

CVSS Vector Analysis

The CVSS v3.1 base score of 7.5 with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N reveals several important characteristics:

  • AV:N (Network): The attack is remotely exploitable over the network.
  • AC:H (High Complexity): Successful exploitation requires specific conditions, likely related to the particular TE/CL header combination and the specific front-end/back-end configuration.
  • PR:N / UI:N: No authentication or user interaction is required.
  • S:C (Changed Scope): This is architecturally significant. The vulnerability in the plug-in component impacts resources beyond the plug-in's own security authority, meaning exploitation affects the broader application server environment and its data. The plug-in is designed to be a trust boundary, and this vulnerability breaks that boundary.
  • C:H / I:L / A:N: High confidentiality impact with low integrity impact and no availability impact, consistent with smuggling attacks that can expose sensitive data or poison caches.

Exploitation Consequences

According to MITRE's CWE-444 documentation, successful exploitation of HTTP request smuggling enables three primary attack categories:

  1. Web Cache Poisoning: The attacker tricks the web server or an intermediate cache into associating a malicious URL with a legitimate page's content, serving poisoned responses to all subsequent users requesting that URL.
  2. Firewall/WAF Bypass: Malicious payloads (such as command execution patterns or injection strings) are smuggled through web application firewalls by embedding them within header values that the firewall treats as part of a benign request.
  3. Credential Theft via XSS Facilitation: Smuggled requests can invoke scripts or redirect responses in ways that expose client credentials to the attacker.

The Companion RCE: CVE-2026-8633

The same IBM security bulletin that discloses CVE-2026-8620 also addresses CVE-2026-8633, a CVSS 9.8 remote code execution vulnerability (CWE-94: Improper Control of Generation of Code) in the identical Web Server Plug-ins component. The coexistence of a request smuggling flaw and an RCE in the same component creates a potential chaining scenario: an attacker could use the smuggling vulnerability to bypass perimeter defenses and then leverage the RCE for code execution on the back-end server. Both vulnerabilities are resolved by the same APAR PH71342 fix.

Discovery Attribution

The vulnerability was discovered by Positive Technologies and is tracked as PT-2026-43363 in the dbugs vulnerability database. The GitHub Advisory Database carries the entry as GHSA-qwgm-xj6f-w5v6.

Patch Information

IBM has released an official fix under APAR PH71342, published on May 26, 2026. Because the Web Server Plug-ins are a proprietary, closed-source component, the fix is delivered as downloadable IBM Installation Manager interim fix packages via IBM Fix Central rather than as a public code commit.

The fix corrects the HTTP request parsing inconsistency so that the plug-in properly normalizes and validates HTTP requests before forwarding them to the back-end application server.

Two interim fix packages are immediately available:

Interim Fix IDRelease DateApplicable Versions
9.0.5.24-WS-WASPlugIn-IFPH71342May 26, 20269.0.5.24 through 9.0.5.27
8.5.5.25-WS-WASPlugIn-IFPH71342May 26, 20268.5.5.25 through 8.5.5.29

Important note on the V8.5 interim fix: The initial release of the 8.5.x interim fix did not correctly apply to version 8.5.5.29. IBM replaced the package on the same day (May 26, 2026) with an updated build identifiable by the 20260526 date string in the filename. Administrators should verify they have the corrected package.

Prerequisites: Administrators must first upgrade to the minimum fix pack level required by the interim fix (at least 9.0.5.24 for the V9.0 line, or 8.5.5.25 for the V8.5 line) before the interim fix can be applied.

For organizations that prefer to wait for a comprehensive fix pack, IBM has targeted inclusion of the PH71342 fix in:

  • Fix Pack 9.0.5.28: targeted for 2Q 2026
  • Fix Pack 8.5.5.30: targeted for 3Q 2026

However, given the CVSS 7.5 severity, the absence of any workarounds, and the fact that the same APAR also patches the companion CVE-2026-8633 (CVSS 9.8 RCE), applying the interim fix immediately is strongly recommended rather than waiting for the full fix packs.

IBM explicitly states "None" for workarounds and mitigations. Configuration-level defenses such as WAF rules, header normalization, or proxy-layer sanitization are not endorsed by IBM as sufficient. Patching is the only confirmed remediation path.

Affected Systems and Versions

The vulnerability affects the following IBM Web Server Plug-ins versions across all supported platforms:

Affected ProductVersion RangePlug-in Version
IBM Web Server Plug-ins for WAS and LibertyV9.0.0.0 through 9.0.5.279.0
IBM Web Server Plug-ins for WAS and LibertyV8.5.0.0 through 8.5.5.298.5

Supported Platforms: AIX, IBM i, Linux, Windows, z/OS, and Mac OS.

The Web Server Plug-ins are an optional and separately installable component. Not all WebSphere deployments are exposed; only those that use the plug-in architecture for web server integration are affected. Organizations should inventory their WebSphere environments to determine whether the plug-in component is deployed.

Vendor Security History

IBM has a documented history of HTTP request smuggling vulnerabilities in its web infrastructure products. The most directly relevant precedent is CVE-2015-3183, which affected IBM HTTP Server (powered by Apache) across all editions of WebSphere Application Server from V6.1 through V8.5.5.6. That vulnerability shared several characteristics with CVE-2026-8620:

AttributeCVE-2015-3183CVE-2026-8620
Affected ComponentIBM HTTP Server (Apache based)Web Server Plug-ins
WeaknessHTTP Request Smuggling (CWE-444)HTTP Request Smuggling (CWE-444)
CVSS6.1 (CVSS v2)7.5 (CVSS v3.1)
WorkaroundsNoneNone
RemediationInterim fix + Fix PackInterim fix + Fix Pack

The recurrence of this vulnerability class across different IBM web infrastructure components over an 11 year span suggests a systemic pattern in IBM's HTTP message parsing implementations. The absence of workarounds in both cases further indicates that the vulnerability is embedded deep in the request processing pipeline where configuration-level defenses cannot reach.

Recent security bulletins have also addressed additional vulnerabilities in WebSphere Liberty, including SSRF (CVE-2026-1561) affecting Liberty 17.0.0.3 through 26.0.0.3 and privilege escalation (CVE-2025-14915) in Liberty, indicating ongoing security challenges across the WebSphere product family.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization