Introduction
A newly disclosed HTTP request smuggling flaw in IBM's Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty allows a remote, unauthenticated attacker to slip crafted requests past the plug-in layer and into the back-end application server, achieving high confidentiality impact across security boundaries. What makes this disclosure particularly urgent is that it shares an advisory with CVE-2026-8633, a CVSS 9.8 remote code execution vulnerability in the same plug-in component, and IBM has confirmed that no workarounds exist for either issue.
Technical Information
Root Cause: Inconsistent HTTP Request Parsing (CWE-444)
CVE-2026-8620 falls under CWE-444: Inconsistent Interpretation of HTTP Requests, commonly known as HTTP Request Smuggling. The vulnerability resides in the IBM Web Server Plug-ins, which serve as the intermediary layer between front-end web servers (such as Apache HTTP Server, IBM HTTP Server, or Microsoft IIS) and the back-end WebSphere Application Server or WebSphere Liberty runtime. The plug-in's role is to receive HTTP requests from the front-end server and forward them to the appropriate back-end application server instance.
The core issue is that the plug-in does not interpret malformed or ambiguous HTTP requests in the same way as the destination application server. When an HTTP message contains conflicting or duplicate Transfer-Encoding (TE) and Content-Length (CL) headers, the plug-in and the back-end server may disagree on where one request ends and the next begins. This disagreement is the foundation of HTTP request smuggling.
Smuggling Techniques
Two primary smuggling patterns are relevant to this class of vulnerability:
| Technique | Mechanism | Front-End (Plug-in) Interpretation | Back-End (App Server) Interpretation |
|---|---|---|---|
| CL.TE | Both CL and TE headers present; front-end uses CL, back-end uses TE | Determines request boundary by Content-Length | Determines request boundary by Transfer-Encoding: chunked |
| TE.CL | Both TE and CL headers present; front-end uses TE, back-end uses CL | Determines request boundary by chunked encoding | Determines request boundary by Content-Length |
In both cases, the attacker embeds a second, hidden HTTP request within what the plug-in treats as a single legitimate request. The back-end application server, interpreting the request boundaries differently, processes the smuggled request as a separate, independent request. This smuggled request inherits the security context and trust level of the front-end connection.
CVSS Vector Analysis
The CVSS v3.1 base score of 7.5 with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N reveals several important characteristics:
- AV:N (Network): The attack is remotely exploitable over the network.
- AC:H (High Complexity): Successful exploitation requires specific conditions, likely related to the particular TE/CL header combination and the specific front-end/back-end configuration.
- PR:N / UI:N: No authentication or user interaction is required.
- S:C (Changed Scope): This is architecturally significant. The vulnerability in the plug-in component impacts resources beyond the plug-in's own security authority, meaning exploitation affects the broader application server environment and its data. The plug-in is designed to be a trust boundary, and this vulnerability breaks that boundary.
- C:H / I:L / A:N: High confidentiality impact with low integrity impact and no availability impact, consistent with smuggling attacks that can expose sensitive data or poison caches.
Exploitation Consequences
According to MITRE's CWE-444 documentation, successful exploitation of HTTP request smuggling enables three primary attack categories:
- Web Cache Poisoning: The attacker tricks the web server or an intermediate cache into associating a malicious URL with a legitimate page's content, serving poisoned responses to all subsequent users requesting that URL.
- Firewall/WAF Bypass: Malicious payloads (such as command execution patterns or injection strings) are smuggled through web application firewalls by embedding them within header values that the firewall treats as part of a benign request.
- Credential Theft via XSS Facilitation: Smuggled requests can invoke scripts or redirect responses in ways that expose client credentials to the attacker.
The Companion RCE: CVE-2026-8633
The same IBM security bulletin that discloses CVE-2026-8620 also addresses CVE-2026-8633, a CVSS 9.8 remote code execution vulnerability (CWE-94: Improper Control of Generation of Code) in the identical Web Server Plug-ins component. The coexistence of a request smuggling flaw and an RCE in the same component creates a potential chaining scenario: an attacker could use the smuggling vulnerability to bypass perimeter defenses and then leverage the RCE for code execution on the back-end server. Both vulnerabilities are resolved by the same APAR PH71342 fix.
Discovery Attribution
The vulnerability was discovered by Positive Technologies and is tracked as PT-2026-43363 in the dbugs vulnerability database. The GitHub Advisory Database carries the entry as GHSA-qwgm-xj6f-w5v6.
Patch Information
IBM has released an official fix under APAR PH71342, published on May 26, 2026. Because the Web Server Plug-ins are a proprietary, closed-source component, the fix is delivered as downloadable IBM Installation Manager interim fix packages via IBM Fix Central rather than as a public code commit.
The fix corrects the HTTP request parsing inconsistency so that the plug-in properly normalizes and validates HTTP requests before forwarding them to the back-end application server.
Two interim fix packages are immediately available:
| Interim Fix ID | Release Date | Applicable Versions |
|---|---|---|
9.0.5.24-WS-WASPlugIn-IFPH71342 | May 26, 2026 | 9.0.5.24 through 9.0.5.27 |
8.5.5.25-WS-WASPlugIn-IFPH71342 | May 26, 2026 | 8.5.5.25 through 8.5.5.29 |
Important note on the V8.5 interim fix: The initial release of the 8.5.x interim fix did not correctly apply to version 8.5.5.29. IBM replaced the package on the same day (May 26, 2026) with an updated build identifiable by the 20260526 date string in the filename. Administrators should verify they have the corrected package.
Prerequisites: Administrators must first upgrade to the minimum fix pack level required by the interim fix (at least 9.0.5.24 for the V9.0 line, or 8.5.5.25 for the V8.5 line) before the interim fix can be applied.
For organizations that prefer to wait for a comprehensive fix pack, IBM has targeted inclusion of the PH71342 fix in:
- Fix Pack 9.0.5.28: targeted for 2Q 2026
- Fix Pack 8.5.5.30: targeted for 3Q 2026
However, given the CVSS 7.5 severity, the absence of any workarounds, and the fact that the same APAR also patches the companion CVE-2026-8633 (CVSS 9.8 RCE), applying the interim fix immediately is strongly recommended rather than waiting for the full fix packs.
IBM explicitly states "None" for workarounds and mitigations. Configuration-level defenses such as WAF rules, header normalization, or proxy-layer sanitization are not endorsed by IBM as sufficient. Patching is the only confirmed remediation path.
Affected Systems and Versions
The vulnerability affects the following IBM Web Server Plug-ins versions across all supported platforms:
| Affected Product | Version Range | Plug-in Version |
|---|---|---|
| IBM Web Server Plug-ins for WAS and Liberty | V9.0.0.0 through 9.0.5.27 | 9.0 |
| IBM Web Server Plug-ins for WAS and Liberty | V8.5.0.0 through 8.5.5.29 | 8.5 |
Supported Platforms: AIX, IBM i, Linux, Windows, z/OS, and Mac OS.
The Web Server Plug-ins are an optional and separately installable component. Not all WebSphere deployments are exposed; only those that use the plug-in architecture for web server integration are affected. Organizations should inventory their WebSphere environments to determine whether the plug-in component is deployed.
Vendor Security History
IBM has a documented history of HTTP request smuggling vulnerabilities in its web infrastructure products. The most directly relevant precedent is CVE-2015-3183, which affected IBM HTTP Server (powered by Apache) across all editions of WebSphere Application Server from V6.1 through V8.5.5.6. That vulnerability shared several characteristics with CVE-2026-8620:
| Attribute | CVE-2015-3183 | CVE-2026-8620 |
|---|---|---|
| Affected Component | IBM HTTP Server (Apache based) | Web Server Plug-ins |
| Weakness | HTTP Request Smuggling (CWE-444) | HTTP Request Smuggling (CWE-444) |
| CVSS | 6.1 (CVSS v2) | 7.5 (CVSS v3.1) |
| Workarounds | None | None |
| Remediation | Interim fix + Fix Pack | Interim fix + Fix Pack |
The recurrence of this vulnerability class across different IBM web infrastructure components over an 11 year span suggests a systemic pattern in IBM's HTTP message parsing implementations. The absence of workarounds in both cases further indicates that the vulnerability is embedded deep in the request processing pipeline where configuration-level defenses cannot reach.
Recent security bulletins have also addressed additional vulnerabilities in WebSphere Liberty, including SSRF (CVE-2026-1561) affecting Liberty 17.0.0.3 through 26.0.0.3 and privilege escalation (CVE-2025-14915) in Liberty, indicating ongoing security challenges across the WebSphere product family.
References
- NVD: CVE-2026-8620
- IBM Security Bulletin: APAR PH71342
- IBM Fix Central: Interim Fix Downloads
- GitHub Advisory: GHSA-qwgm-xj6f-w5v6
- Positive Technologies dbugs: PT-2026-43363
- MITRE CWE-444: Inconsistent Interpretation of HTTP Requests
- IBM Security Bulletin: CVE-2015-3183 (Historical Precedent)
- OWASP: Testing for HTTP Request Smuggling
- PortSwigger: HTTP Request Smuggling
- IBM Security Bulletin: Related WebSphere Advisory
- Tenable CVE Database



