Introduction
An unauthenticated remote attacker can spoof identities on IBM WebSphere Application Server traditional 8.5 and 9.0 with no user interaction, no privileges, and low attack complexity, earning this vulnerability a CVSS score of 9.1. IBM has confirmed that no workarounds or mitigations exist, and formal fix packs are not expected until the third quarter of 2026, leaving organizations with only an interim fix as their remediation path during a multi month exposure window.
Technical Information
Root Cause: Improper Signature Validation and CWE-290
CVE-2026-8644 is classified under CWE-290: Authentication Bypass by Spoofing, which MITRE defines as a weakness caused by "incorrectly implemented authentication schemes that are subject to spoofing attacks." The IBM Master Data Management security advisory provides a more specific description of the root cause, characterizing the issue as "identity spoofing by an authenticated user due to improper signature validation." This strongly suggests that the WebSphere traditional server fails to properly validate authentication tokens, credentials, or security signatures, allowing an attacker to forge or tamper with identity assertions that the server incorrectly accepts as legitimate.
CVSS Vector Analysis
The full CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. Breaking this down:
| CVSS Metric | Value | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | Minimal technical skill required |
| Privileges Required (PR) | None | No authentication needed to exploit |
| User Interaction (UI) | None | No victim action required |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | None | No direct information disclosure |
| Integrity (I) | High | Complete loss of integrity protection |
| Availability (A) | High | Complete loss of availability |
The absence of confidentiality impact combined with high integrity and availability impact is notable. This pattern suggests the vulnerability allows an attacker to assume another identity and potentially disrupt service rather than directly exfiltrate data. However, identity spoofing inherently undermines access controls: an attacker who impersonates a privileged user could indirectly access confidential resources through the spoofed identity.
Attack Patterns Associated with CWE-290
CWE-290 encompasses several concrete attack patterns documented by MITRE:
- Exploitation of Trusted Identifiers: An attacker leverages a trusted identifier (such as an IP address, hostname, or certificate) that the authentication system relies upon, forging or manipulating that identifier to gain trusted status.
- Signature Spoofing by Misrepresentation (CAPEC-476): An attacker exploits weaknesses in parsing or display code to generate a data blob containing a supposedly valid signature, tricking the recipient into accepting falsified authentication data.
- Adversary in the Middle (AiTM): An attacker positions themselves between communicating parties to intercept and manipulate authentication exchanges.
MITRE's observed examples of CWE-290 in practice include CVE-2022-30319, where an IP allowlist in a home automation product was bypassed via a forged IP address, and CVE-2009-1048, where a VOIP product permitted authentication bypass by supplying 127.0.0.1 in the Host header.
Comparison with CVE-2026-3621 (WebSphere Liberty)
A closely related vulnerability, CVE-2026-3621, affects IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 and was disclosed on April 22, 2026. This comparison is instructive for understanding the severity of CVE-2026-8644:
| Dimension | CVE-2026-8644 (WAS Traditional) | CVE-2026-3621 (WAS Liberty) |
|---|---|---|
| CVSS Score | 9.1 (Critical) | 5.4 (Medium) |
| Privileges Required | None | None (but configuration dependent) |
| Exploitation Condition | Default configuration | appSecurity feature disabled |
| Workaround Available | No | Yes (enable appSecurity) |
| Root Cause Hint | Improper signature validation | Missing appSecurity feature |
The Liberty variant carries a lower CVSS score because it requires the appSecurity feature to not be enabled, constraining exploitation to misconfigured deployments. IBM's advisory states the Liberty vulnerability "occurs under limited conditions when an application is deployed without authentication and authorization configured." For CVE-2026-3621, IBM provides a workaround: enable one of the appSecurity features (appSecurity-1.0 through appSecurity-5.0).
No such configuration toggle exists for CVE-2026-8644. This divergence reveals that the traditional WebSphere authentication implementation has a deeper, more fundamental flaw than the Liberty variant. The traditional variant's vulnerability appears rooted in improper signature validation within the core authentication mechanism itself.
Downstream Product Exposure
IBM Master Data Management versions 11.6 and 12.0 are confirmed impacted by this same class of WebSphere identity spoofing vulnerability. Organizations running IBM products that embed WebSphere as a runtime component face transitive risk beyond standalone WAS deployments. Given that IBM has stated over 150 IBM products ship with Liberty or WebSphere as their internal application server, the blast radius extends well beyond direct WebSphere installations.
Security research firm Oligo also disclosed a pre authentication arbitrary class deserialization vulnerability in the SAML Web SSO component of WebSphere Liberty in April 2026, further highlighting systemic authentication layer weaknesses across the WebSphere family.
Mitigation Strategies
IBM explicitly states: "There are no known workarounds or mitigations for this vulnerability." The only remediation path is applying the interim fix for APAR PH71422.
For V9.0.0.0 through 9.0.5.28: Upgrade to the minimal fix pack levels required by the interim fix, then apply the Interim Fix that resolves PH71422. Alternatively, apply Fix Pack 9.0.5.29 or later (targeted for 3Q2026).
For V8.5.0.0 through 8.5.5.29: Upgrade to the minimal fix pack levels required by the interim fix, then apply the Interim Fix for PH71422. Alternatively, apply Fix Pack 8.5.5.30 or later (targeted for 3Q2026).
While IBM provides no official workarounds, organizations awaiting interim fix deployment may consider the following defensive measures. These are not endorsed by IBM and should not be considered equivalent to applying the patch:
- Network access restrictions: Limit network exposure of WebSphere Application Server administration and application endpoints to trusted internal networks only, reducing the attack surface consistent with the network based attack vector.
- WAF rules: Deploy web application firewall rules to detect and block potential authentication spoofing attempts, though effectiveness against this specific vulnerability is unconfirmed.
- Enhanced monitoring: Enable verbose authentication logging and configure SIEM alerts for anomalous identity assertions, authentication events from unexpected sources, or privilege escalation patterns.
- Downstream product audit: Identify and patch IBM products that embed WebSphere as a runtime component. IBM Master Data Management 11.6 and 12.0 are confirmed affected. Other IBM products shipping with WebSphere traditional should be assessed.
Affected Systems and Versions
The following IBM WebSphere Application Server traditional versions are affected:
- WebSphere Application Server 9.0: Versions 9.0.0.0 through 9.0.5.28
- WebSphere Application Server 8.5: Versions 8.5.0.0 through 8.5.5.29
Downstream products confirmed affected by the same class of vulnerability:
- IBM Master Data Management 11.6
- IBM Master Data Management 12.0
The full version span from 8.5.0.0 through 9.0.5.28 and 8.5.5.29 represents years of production deployments. IBM has confirmed no planned end of support date for WebSphere 8.5.5 and 9.0.5, meaning these codebases will remain in production for the foreseeable future.
Vendor Security History
IBM WebSphere Application Server has experienced a steady stream of security vulnerabilities in recent years. The recurrence of identity spoofing vulnerabilities is particularly notable:
| CVE | Date | Type | CVSS | Affected Product |
|---|---|---|---|---|
| CVE-2026-8644 | Jun 2026 | Identity Spoofing (CWE-290) | 9.1 | WAS traditional 8.5, 9.0 |
| CVE-2026-3621 | Apr 2026 | Identity Spoofing (CWE-290) | 5.4 | WAS Liberty 17.0.0.3 through 26.0.0.4 |
| CVE-2026-1188 | 2026 | Security vulnerability | Reported | WAS shipped with IBM DevOps Code ClearCase |
| CVE-2026-8633 | 2026 | Vulnerability in plug ins | Reported | IBM Web Server Plug ins for WAS |
| CVE-2025-36038 | Jun 2025 | Arbitrary Code Execution | Reported | WAS |
| CVE-2025-36099 | Sep 2025 | Vulnerability | Reported | WAS Liberty |
| CVE-2025-14915 | 2025 | Privilege Escalation | 0.3 | WAS Liberty |
Two identity spoofing vulnerabilities disclosed within two months of each other (CVE-2026-3621 in April and CVE-2026-8644 in June) across both the traditional and Liberty variants suggests a systemic weakness in IBM's authentication and signature validation implementations across the WebSphere product family. This pattern warrants a comprehensive product wide security review rather than isolated point fixes.
References
- NVD: CVE-2026-8644
- IBM Security Bulletin: IBM WebSphere Application Server is affected by an identity spoofing vulnerability (CVE-2026-8644)
- IBM Security Bulletin: IBM WebSphere Application Server Liberty is affected by identity spoofing (CVE-2026-3621)
- IBM Security Bulletin: IBM Master Data Management is vulnerable to identity spoofing
- NVD: CVE-2026-3621
- CWE-290: Authentication Bypass by Spoofing
- CAPEC-476: Signature Spoofing by Misrepresentation
- IBM WebSphere Application Server and IBM HTTP Server Security Bulletin List
- IBM Security Bulletin: WebSphere Application Server affected by arbitrary code execution (CVE-2025-36038)
- Oligo Security: New Vulnerabilities in IBM WebSphere Liberty
- IBM WebSphere Application Server Support Announcement
- Vulnerability Intelligence Report, May 29, 2026



