ZeroPath at Black Hat USA 2026

IBM WebSphere Application Server CVE-2026-8644: Critical Identity Spoofing via Improper Signature Validation — Quick Look

A brief summary of CVE-2026-8644, a critical (CVSS 9.1) identity spoofing vulnerability in IBM WebSphere Application Server traditional 8.5 and 9.0 that allows unauthenticated remote attackers to bypass authentication through improper signature validation, with no workarounds available.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

IBM WebSphere Application Server CVE-2026-8644: Critical Identity Spoofing via Improper Signature Validation — Quick Look
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated remote attacker can spoof identities on IBM WebSphere Application Server traditional 8.5 and 9.0 with no user interaction, no privileges, and low attack complexity, earning this vulnerability a CVSS score of 9.1. IBM has confirmed that no workarounds or mitigations exist, and formal fix packs are not expected until the third quarter of 2026, leaving organizations with only an interim fix as their remediation path during a multi month exposure window.

Technical Information

Root Cause: Improper Signature Validation and CWE-290

CVE-2026-8644 is classified under CWE-290: Authentication Bypass by Spoofing, which MITRE defines as a weakness caused by "incorrectly implemented authentication schemes that are subject to spoofing attacks." The IBM Master Data Management security advisory provides a more specific description of the root cause, characterizing the issue as "identity spoofing by an authenticated user due to improper signature validation." This strongly suggests that the WebSphere traditional server fails to properly validate authentication tokens, credentials, or security signatures, allowing an attacker to forge or tamper with identity assertions that the server incorrectly accepts as legitimate.

CVSS Vector Analysis

The full CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. Breaking this down:

CVSS MetricValueImplication
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)LowMinimal technical skill required
Privileges Required (PR)NoneNo authentication needed to exploit
User Interaction (UI)NoneNo victim action required
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)NoneNo direct information disclosure
Integrity (I)HighComplete loss of integrity protection
Availability (A)HighComplete loss of availability

The absence of confidentiality impact combined with high integrity and availability impact is notable. This pattern suggests the vulnerability allows an attacker to assume another identity and potentially disrupt service rather than directly exfiltrate data. However, identity spoofing inherently undermines access controls: an attacker who impersonates a privileged user could indirectly access confidential resources through the spoofed identity.

Attack Patterns Associated with CWE-290

CWE-290 encompasses several concrete attack patterns documented by MITRE:

  1. Exploitation of Trusted Identifiers: An attacker leverages a trusted identifier (such as an IP address, hostname, or certificate) that the authentication system relies upon, forging or manipulating that identifier to gain trusted status.
  2. Signature Spoofing by Misrepresentation (CAPEC-476): An attacker exploits weaknesses in parsing or display code to generate a data blob containing a supposedly valid signature, tricking the recipient into accepting falsified authentication data.
  3. Adversary in the Middle (AiTM): An attacker positions themselves between communicating parties to intercept and manipulate authentication exchanges.

MITRE's observed examples of CWE-290 in practice include CVE-2022-30319, where an IP allowlist in a home automation product was bypassed via a forged IP address, and CVE-2009-1048, where a VOIP product permitted authentication bypass by supplying 127.0.0.1 in the Host header.

Comparison with CVE-2026-3621 (WebSphere Liberty)

A closely related vulnerability, CVE-2026-3621, affects IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 and was disclosed on April 22, 2026. This comparison is instructive for understanding the severity of CVE-2026-8644:

DimensionCVE-2026-8644 (WAS Traditional)CVE-2026-3621 (WAS Liberty)
CVSS Score9.1 (Critical)5.4 (Medium)
Privileges RequiredNoneNone (but configuration dependent)
Exploitation ConditionDefault configurationappSecurity feature disabled
Workaround AvailableNoYes (enable appSecurity)
Root Cause HintImproper signature validationMissing appSecurity feature

The Liberty variant carries a lower CVSS score because it requires the appSecurity feature to not be enabled, constraining exploitation to misconfigured deployments. IBM's advisory states the Liberty vulnerability "occurs under limited conditions when an application is deployed without authentication and authorization configured." For CVE-2026-3621, IBM provides a workaround: enable one of the appSecurity features (appSecurity-1.0 through appSecurity-5.0).

No such configuration toggle exists for CVE-2026-8644. This divergence reveals that the traditional WebSphere authentication implementation has a deeper, more fundamental flaw than the Liberty variant. The traditional variant's vulnerability appears rooted in improper signature validation within the core authentication mechanism itself.

Downstream Product Exposure

IBM Master Data Management versions 11.6 and 12.0 are confirmed impacted by this same class of WebSphere identity spoofing vulnerability. Organizations running IBM products that embed WebSphere as a runtime component face transitive risk beyond standalone WAS deployments. Given that IBM has stated over 150 IBM products ship with Liberty or WebSphere as their internal application server, the blast radius extends well beyond direct WebSphere installations.

Security research firm Oligo also disclosed a pre authentication arbitrary class deserialization vulnerability in the SAML Web SSO component of WebSphere Liberty in April 2026, further highlighting systemic authentication layer weaknesses across the WebSphere family.

Mitigation Strategies

IBM explicitly states: "There are no known workarounds or mitigations for this vulnerability." The only remediation path is applying the interim fix for APAR PH71422.

For V9.0.0.0 through 9.0.5.28: Upgrade to the minimal fix pack levels required by the interim fix, then apply the Interim Fix that resolves PH71422. Alternatively, apply Fix Pack 9.0.5.29 or later (targeted for 3Q2026).

For V8.5.0.0 through 8.5.5.29: Upgrade to the minimal fix pack levels required by the interim fix, then apply the Interim Fix for PH71422. Alternatively, apply Fix Pack 8.5.5.30 or later (targeted for 3Q2026).

While IBM provides no official workarounds, organizations awaiting interim fix deployment may consider the following defensive measures. These are not endorsed by IBM and should not be considered equivalent to applying the patch:

  • Network access restrictions: Limit network exposure of WebSphere Application Server administration and application endpoints to trusted internal networks only, reducing the attack surface consistent with the network based attack vector.
  • WAF rules: Deploy web application firewall rules to detect and block potential authentication spoofing attempts, though effectiveness against this specific vulnerability is unconfirmed.
  • Enhanced monitoring: Enable verbose authentication logging and configure SIEM alerts for anomalous identity assertions, authentication events from unexpected sources, or privilege escalation patterns.
  • Downstream product audit: Identify and patch IBM products that embed WebSphere as a runtime component. IBM Master Data Management 11.6 and 12.0 are confirmed affected. Other IBM products shipping with WebSphere traditional should be assessed.

Affected Systems and Versions

The following IBM WebSphere Application Server traditional versions are affected:

  • WebSphere Application Server 9.0: Versions 9.0.0.0 through 9.0.5.28
  • WebSphere Application Server 8.5: Versions 8.5.0.0 through 8.5.5.29

Downstream products confirmed affected by the same class of vulnerability:

  • IBM Master Data Management 11.6
  • IBM Master Data Management 12.0

The full version span from 8.5.0.0 through 9.0.5.28 and 8.5.5.29 represents years of production deployments. IBM has confirmed no planned end of support date for WebSphere 8.5.5 and 9.0.5, meaning these codebases will remain in production for the foreseeable future.

Vendor Security History

IBM WebSphere Application Server has experienced a steady stream of security vulnerabilities in recent years. The recurrence of identity spoofing vulnerabilities is particularly notable:

CVEDateTypeCVSSAffected Product
CVE-2026-8644Jun 2026Identity Spoofing (CWE-290)9.1WAS traditional 8.5, 9.0
CVE-2026-3621Apr 2026Identity Spoofing (CWE-290)5.4WAS Liberty 17.0.0.3 through 26.0.0.4
CVE-2026-11882026Security vulnerabilityReportedWAS shipped with IBM DevOps Code ClearCase
CVE-2026-86332026Vulnerability in plug insReportedIBM Web Server Plug ins for WAS
CVE-2025-36038Jun 2025Arbitrary Code ExecutionReportedWAS
CVE-2025-36099Sep 2025VulnerabilityReportedWAS Liberty
CVE-2025-149152025Privilege Escalation0.3WAS Liberty

Two identity spoofing vulnerabilities disclosed within two months of each other (CVE-2026-3621 in April and CVE-2026-8644 in June) across both the traditional and Liberty variants suggests a systemic weakness in IBM's authentication and signature validation implementations across the WebSphere product family. This pattern warrants a comprehensive product wide security review rather than isolated point fixes.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization