ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-8633 Critical RCE via Code Injection in IBM WebSphere Web Server Plug-ins

A short review of CVE-2026-8633, a CVSS 9.8 remote code execution vulnerability in IBM WebSphere Web Server Plug-ins that allows unauthenticated attackers to compromise systems via specially crafted HTTP requests. Patch information and affected version details are included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-26

Brief Summary: CVE-2026-8633 Critical RCE via Code Injection in IBM WebSphere Web Server Plug-ins
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A newly disclosed code injection flaw in IBM's Web Server Plug-ins for WebSphere Application Server allows a remote, unauthenticated attacker to achieve full system compromise by sending a single specially crafted HTTP request. With a CVSS score of 9.8 and roughly 2,819 verified enterprise deployments of WebSphere worldwide, many of them in banking, healthcare, and government, this vulnerability sits at the intersection of maximum exploitability and high value targets.

The Web Server Plug-ins are native modules that sit inside front-facing web servers like Apache HTTP Server, Microsoft IIS, and IBM HTTP Server. They intercept incoming HTTP traffic and route it to back-end WebSphere Application Server instances. Because these plug-ins process every inbound request before it reaches the application layer, a code injection vulnerability at this point in the architecture is particularly dangerous: it gives an attacker execution at the web server process level, upstream of most application security controls.

Technical Information

Root Cause: CWE-94 Code Injection

CVE-2026-8633 is classified under CWE-94: Improper Control of Generation of Code, commonly known as "Code Injection." Per MITRE's definition, this weakness occurs when "a product constructs all or part of a code segment using externally-influenced input from an upstream component, but fails to neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."

The fundamental issue is a failure to separate code from data. When attacker supplied input is interpreted as executable instructions, the control plane data is injected into the user controlled data plane. Unlike buffer overflows, which require additional mechanisms to gain execution, injection weaknesses need only for the data to be parsed as code.

Plug-in Architecture and Attack Surface

IBM Web Server Plug-ins operate as a critical intermediary in the WebSphere architecture. They are installed within front-end web servers and use a configuration file (plugin-cfg.xml) to determine which URLs should be forwarded to the application server and which should be served locally. Communication between the plug-in and the application server uses proprietary protocols over TCP connections.

This architectural position makes the plug-in a high value target. It is the first point of contact for all incoming HTTP requests before they reach the application server. Because the plug-in processes request data before forwarding it, a code injection flaw at this layer gives an attacker control at the web server process level, potentially before any application layer security controls are invoked.

CVSS Vector Decomposition

The CVSS v3.1 vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:

CVSS MetricValueImplication
Attack VectorNetworkExploitable remotely over the network
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo social engineering or user action needed
ScopeUnchangedImpact confined to the vulnerable component
ConfidentialityHighFull access to system data possible
IntegrityHighComplete system modification possible
AvailabilityHighComplete system denial possible

This vector represents the most dangerous exploitation scenario: a remote, unauthenticated attacker can achieve full system compromise by sending a specially crafted HTTP request to the web server plug-in endpoint. No credentials, no user interaction, and no special conditions are required.

Attack Flow

While IBM has not publicly disclosed the exact mechanism of the code injection (typical for RCE advisories to prevent weaponization), the attack flow can be inferred from the CWE classification and CVSS metrics:

  1. The attacker identifies a web server (Apache, IIS, or IBM HTTP Server) running the vulnerable WebSphere Web Server Plug-in. These are typically internet facing by design.
  2. The attacker crafts an HTTP request containing a payload in a request element (headers, query parameters, or body) that the plug-in processes.
  3. The plug-in incorporates the attacker controlled input into a code segment that it dynamically evaluates or constructs, without proper neutralization of special elements.
  4. The injected code executes with the privileges of the web server process, giving the attacker arbitrary code execution on the host.

The low attack complexity (AC:L) confirms that crafting the exploit does not require race conditions, specialized configurations, or other mitigating circumstances.

Co-Disclosed Vulnerability: CVE-2026-8620

The same IBM security advisory also discloses CVE-2026-8620, an HTTP request smuggling vulnerability in the Web Server Plug-ins. HTTP request smuggling allows an attacker to manipulate how the web server and the application server interpret the boundary between successive HTTP requests, potentially bypassing security controls. The coexistence of RCE and request smuggling in the same component creates potential for chained attacks, where smuggling could be used to evade WAF or proxy protections before delivering the RCE payload.

Information Gaps

Several details remain unavailable as of May 27, 2026:

  • The exact code path and request elements that trigger the code injection
  • Whether the vulnerability requires specific plug-in configuration settings
  • The specific programming language construct or function that enables the injection
  • NVD's own CVSS assessment (the record is still marked "Undergoing Enrichment")

Patch Information

IBM released official patches for CVE-2026-8633 on May 26, 2026, tracked under APAR PH71342. The fix addresses the code injection vulnerability in the Web Server Plug-ins component used with both WebSphere Application Server traditional and Liberty editions.

The fix is delivered through two separate interim fix packages:

Interim FixRelease DateApplicable VersionsDownload
9.0.5.24-WS-WASPlugIn-IFPH7134226 May 20269.0.5.24 through 9.0.5.27IBM Fix Central
8.5.5.25-WS-WASPlugIn-IFPH7134226 May 20268.5.5.25 through 8.5.5.29IBM Fix Central

IBM is using a two tier remediation approach. The interim fixes above are available now and should be applied immediately by upgrading to the minimum fix pack level required by the interim fix, then layering the interim fix on top. For organizations that prefer to wait for a consolidated GA release, the fix is also scheduled for inclusion in upcoming full fix packs:

  • Fix Pack 9.0.5.28: targeted availability 2Q2026
  • Fix Pack 8.5.5.30: targeted availability 3Q2026

Given the CVSS 9.8 severity and the unauthenticated, network accessible nature of this vulnerability, waiting for the GA fix packs is strongly discouraged. IBM explicitly states there are no workarounds or mitigations for this vulnerability, making the interim fix the only viable protective action.

Important operational note: IBM revised the 8.5.5 interim fix on the same day it was released (May 26, 2026). The initial version did not properly apply to 8.5.5.29. A corrected build was published with an updated identifier containing 20260526 in its filename. Administrators who downloaded the very first version should verify they have the corrected release to ensure 8.5.5.29 coverage.

Both interim fixes are distributed exclusively through IBM Fix Central and require a valid IBM Software Subscription and Support (S&S) entitlement for download. IBM also provides signature files alongside each interim fix package, and administrators should verify the integrity of the downloaded packages using the documented verification procedures for WebSphere Application Server and Liberty releases.

Compensating Controls While Patching

While no vendor documented workarounds exist, organizations can implement the following compensating controls during the patching window:

  • WAF Rules: Deploy web application firewall rules to inspect and block requests containing patterns consistent with code injection payloads targeting the web server plug-in endpoints. Note that CVE-2026-8620 (HTTP request smuggling in the same component) could potentially undermine WAF effectiveness, so WAF rules alone are insufficient.
  • Network Segmentation: Restrict direct internet access to web servers running the WebSphere plug-ins. Place web servers behind reverse proxies that can perform deep HTTP inspection.
  • Egress Filtering: Limit outbound network connections from web server processes to reduce the impact of successful exploitation.
  • Privilege Reduction: Run the web server process hosting the plug-in with the minimum necessary privileges to limit the blast radius of arbitrary code execution.

Affected Systems and Versions

The vulnerability affects IBM Web Server Plug-ins across four major version branches:

ProductAffected Version RangeFixed Version
Web Server Plug-ins 9.09.0.0.0 through 9.0.5.169.0.5.17 or later
Web Server Plug-ins 8.58.5.0.0 through 8.5.5.238.5.5.24 or later
Web Server Plug-ins 8.08.0.0.0 through 8.0.0.158.0.0.16 or later
Web Server Plug-ins 7.07.0.0.0 through 7.0.0.457.0.0.46 or later

The affected plug-ins are used with the following front-end web servers:

  • Apache HTTP Server
  • Microsoft IIS
  • IBM HTTP Server

The vulnerability spans over a decade of releases, indicating a long-standing weakness in the plug-in code path. Both WebSphere Application Server traditional and WebSphere Application Server Liberty editions are affected when using the vulnerable plug-in versions.

Tenable has released Nessus Plugin ID 297279 to detect vulnerable instances. Organizations with Tenable deployments should ensure this plugin is active and scan all internet facing and internal web server infrastructure that uses WebSphere plug-ins.

Vendor Security History

IBM WebSphere Application Server has a documented pattern of critical security vulnerabilities. The following table summarizes recent disclosures:

CVEYearTypeSeverity
CVE-2026-86332026RCE via Code Injection in Web Server Plug-ins9.8 Critical
CVE-2026-86202026HTTP Request Smuggling in Web Server Plug-insDisclosed in same advisory
CVE-2026-15612026SSRF in WebSphere LibertyDocumented
CVE-2025-360382025RCE via Java Deserialization in WebSphere ASCritical
CVE-2026-11882026Security vulnerability in WebSphere (shipped with ClearCase)Documented
CVE-2025-149152025Privilege Escalation in WebSphere LibertyDocumented
CVE-2024-250262024Denial of Service in WebSphere ASDocumented

The recurring pattern of RCE class vulnerabilities, particularly through deserialization (CVE-2025-36038) and now code injection (CVE-2026-8633), suggests that the WebSphere codebase contains legacy code paths that were not designed with modern secure coding standards. NSFOCUS's analysis of CVE-2025-36038 specifically noted that "the root cause of this vulnerability lies in the insecure handling of Java object deserialization within IBM WebSphere Application Server."

Threat Intelligence Context

As of May 27, 2026, no evidence of active exploitation of CVE-2026-8633 has been found. The CISA Known Exploited Vulnerabilities (KEV) Catalog additions on May 21 and May 22, 2026 did not include this CVE. The vulnerability was published on NVD only on May 26, 2026, making it approximately one day old at the time of this analysis.

Several factors elevate the risk of near term exploitation:

  • Rapid weaponization precedent: VulnCheck's 2026 exploitation analysis found that approximately 28.96% of known exploited vulnerabilities identified in 2025 were exploited on or before the day their CVE was published.
  • Ideal automation target: The combination of network accessibility, no authentication, and no user interaction makes this vulnerability well suited for automated exploitation tooling and botnet operators.
  • High value targets: WebSphere deployments in financial services, healthcare, and government represent attractive targets for ransomware operators and nation state actors. Recorded Future's March 2026 CVE Landscape report documented active exploitation of enterprise vulnerabilities by groups such as Interlock Ransomware.
  • Lower exploitation barrier: CWE-94 vulnerabilities typically require less effort to exploit than memory corruption flaws, as the attack involves crafting input that is directly interpreted as code rather than manipulating memory layout.

Organizations should monitor the CISA KEV Catalog, IBM Security Bulletins, and threat intelligence feeds for updates on exploitation status in the coming days and weeks.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization