Introduction
A code injection vulnerability in IBM HTTP Server's TLS mutual authentication handling gives remote, unauthenticated attackers a path to both arbitrary code execution and denial of service on enterprise web infrastructure. The irony is sharp: the vulnerability specifically targets deployments that have enabled client certificate authentication, a configuration most commonly found in the highest security environments operating under zero trust principles.
CVE-2026-8855 was disclosed on May 26, 2026 as part of a broader bulletin covering nine vulnerabilities in IBM HTTP Server, including CVE-2026-9170 at a critical CVSS 9.8. IBM rates this particular flaw at 8.1 HIGH, while NIST independently scored it at 9.8 CRITICAL. There are no workarounds. The only remediation is patching.
Technical Information
Root Cause: CWE-94 Code Injection in Certificate Processing
CVE-2026-8855 is classified under CWE-94: Improper Control of Generation of Code ('Code Injection'). The vulnerability resides in how IBM HTTP Server processes data from client certificates during TLS mutual authentication. Specifically, the condition is triggered when the SSLClientAuth directive is set to any value other than "0" or "None", meaning the server requires or accepts client certificates as part of the TLS handshake.
In a mutual TLS deployment, the server must parse and process values from the client certificate (such as the Subject Distinguished Name, Subject Alternative Names, and other X.509 fields) to make access control decisions. CWE-94 describes a condition where the product constructs all or part of a code segment using externally influenced input but does not properly neutralize special elements that could modify the syntax or behavior of the intended code segment. When IBM HTTP Server dynamically constructs code segments from this certificate data without strict neutralization, it creates a direct injection vector.
CVSS Vector Breakdown
The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H:
| CVSS Component | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over a network |
| Attack Complexity (AC) | High (H) | Requires TLS mutual auth to be configured |
| Privileges Required (PR) | None (N) | No authentication needed to exploit |
| User Interaction (UI) | None (N) | No user action required |
| Scope (S) | Unchanged (U) | Impact confined to the vulnerable component |
| Confidentiality (C) | High (H) | Complete information disclosure possible |
| Integrity (I) | High (H) | Complete system compromise possible |
| Availability (A) | High (H) | Complete denial of service possible |
The High attack complexity reflects the prerequisite that TLS mutual authentication must be configured. IBM's interim fix documentation classifies the SSLClientAuth mutual auth configuration as "uncommon" in typical deployments, which explains the AC:H rating. However, for environments that do use client certificate authentication, the exposure is direct and the remaining vector components (no privileges, no user interaction, all High impacts) paint a severe picture.
The divergence between IBM's 8.1 HIGH score and NIST's independent 9.8 CRITICAL score likely stems from differing assessments of attack complexity. If NIST assessed AC as Low (considering that the attacker simply needs to connect to a server that already has mutual TLS enabled), the resulting score would reach 9.8.
Attack Flow
Based on the CWE-94 classification and the TLS mutual authentication attack surface, the exploitation chain likely proceeds as follows:
-
Reconnaissance: The attacker identifies an IBM HTTP Server instance with client authentication enabled. This can be determined during the TLS handshake when the server sends a
CertificateRequestmessage. -
Certificate Crafting: The attacker constructs a malicious client certificate containing specially crafted elements in certificate fields. These special elements are designed to break out of the data context and inject into a code generation context within the server.
-
TLS Handshake: The attacker initiates a TLS connection and presents the crafted certificate. The server processes the certificate fields as part of its authentication and access control logic.
-
Code Injection: The server incorporates the untrusted certificate field values into a dynamically generated code segment without adequate neutralization of special elements. This is the core CWE-94 weakness: the injection of control plane data into what should be the data plane.
-
Execution: The injected code executes within the server process context, enabling either arbitrary command execution (RCE path) or a crash condition (DoS path).
The related CAPEC attack patterns include CAPEC-242 (Code Injection) and CAPEC-35 (Leverage Executable Code in Non Executable Files). CWE-94's documented consequences specify that injected code can "control authentication" and "bypass protection mechanisms," enabling an attacker to "gain privileges" and access resources they are "directly prevented from accessing." A successful exploit here completely undermines the trust guarantees that the TLS mutual authentication handshake was designed to provide.
The dual RCE and DoS impact is notable: even if an attacker cannot achieve reliable, deterministic code execution, they may still trigger a denial of service condition, providing a fallback impact path.
Broader Bulletin Context
CVE-2026-8855 was not disclosed in isolation. It is one of nine vulnerabilities addressed in the same IBM Security Bulletin, suggesting systemic issues in the component:
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-9170 | 9.8 (Critical) | Code injection (CWE-94) in IBM Web Server Plug-ins |
| CVE-2026-8855 | 8.1 (High) | RCE and DoS in TLS mutual auth (CWE-94) |
| CVE-2026-8854 | High | IBM HTTP Server vulnerability |
| CVE-2026-8856 | High | IBM HTTP Server vulnerability |
| CVE-2026-8852 | High | IBM HTTP Server vulnerability |
| CVE-2026-8850 | High | IBM HTTP Server vulnerability |
| CVE-2026-8835 | High | IBM HTTP Server vulnerability |
| CVE-2026-8834 | High | IBM HTTP Server vulnerability |
| CVE-2026-45186 | High | IBM HTTP Server vulnerability |
The presence of CVE-2026-9170 with the same CWE-94 classification and a 9.8 CRITICAL score in the same bulletin strongly suggests a systemic code injection problem across the IBM HTTP Server and its plug-in components.
Patch Information
IBM published Security Bulletin 7274065 on May 26, 2026, confirming an official fix. There are no workarounds or mitigations; applying the patch is the only remediation.
Fix Details
The fix is tracked under APAR PH71265 and delivered through the Cumulative Security Interim Fix (CSIF) IFPH71265. This interim fix supersedes all prior IHS security interim fixes (PH71061, PH70572, PH68462, and others). IBM uses a cumulative servicing model for IHS: each new CSIF rolls up all previous security fixes, so administrators only need to apply the latest single interim fix.
Remediation Paths
IBM HTTP Server 9.0 (versions 9.0.0.0 through 9.0.5.28):
- Apply interim fix
IFPH71265on top of a supported fix pack level (9.0.5.25, 9.0.5.26, or 9.0.5.27) - Or wait for Fix Pack 9.0.5.29 (targeted availability 3Q2026)
IBM HTTP Server 8.5 (versions 8.5.0.0 through 8.5.5.29):
- Apply interim fix
IFPH71265on top of a supported fix pack level (8.5.5.28 or 8.5.5.29) - Or wait for Fix Pack 8.5.5.30 (targeted availability 3Q2026)
Available Packages
The interim fix was released on May 26, 2026 via IBM Fix Central. Available packages include:
| Package | Platform(s) |
|---|---|
9.0.5.27-WS-WASIHS-IFPH71265 | All (via IM) |
9.0.5.26-WS-WASIHS-IFPH71265 | All (via IM) |
9.0.5.25-WS-WASIHS-IFPH71265 | All (via IM) |
8.5.5.29-WS-WASIHS-IFPH71265 | All (via IM) |
8.5.5.28-WS-WASIHS-IFPH71265 | All (via IM) |
9.0.5-WS-IHS-ARCHIVE-*-FP027-IFPH71265 | Windows x86_64, Linux x86_64, Linux s390x, Linux ppc64le, AIX ppc64 |
Packages are available through both IBM Installation Manager and standalone archive packages for deployments without IM.
Compensating Controls
While IBM has stated no workarounds exist, organizations facing patching delays may consider these compensating measures (not endorsed by IBM):
- Disable TLS mutual authentication where operationally feasible by setting
SSLClientAuthto"0"or"None", removing the exploitation prerequisite entirely. This may not be acceptable in zero trust or regulated environments. - Network segmentation to restrict which clients can initiate TLS connections to the IBM HTTP Server.
- WAF or IDS/IPS rules to detect anomalous client certificate fields, though effectiveness against this specific exploit is unconfirmed.
- Enhanced monitoring of IBM HTTP Server processes for unexpected code execution patterns or crash events.
Given that the same bulletin includes CVE-2026-9170 at CVSS 9.8, organizations should treat the entire set of nine vulnerabilities as a bundled patching event.
Affected Systems and Versions
IBM HTTP Server
| Product | Affected Version Range | Fixed Version | Platform |
|---|---|---|---|
| IBM HTTP Server V9.0 | 9.0.0.0 through 9.0.5.28 | 9.0.5.29 (or interim fix IFPH71265) | AIX, Linux, Windows, z/OS |
| IBM HTTP Server V8.5 | 8.5.0.0 through 8.5.5.29 | 8.5.5.30 (or interim fix IFPH71265) | AIX, Linux, Windows, z/OS |
Bundled Products
IBM HTTP Server is a component within several IBM products, extending the blast radius beyond standalone deployments:
| Product | Affected Version Range |
|---|---|
| IBM WebSphere Application Server (all editions) | Bundles affected HTTP Server versions |
| IBM DevOps Code ClearCase | 11.0.0 through 11.0.0.05 |
| IBM Rational ClearCase | 10.0.0 through 10.0.1.05; 9.1.0 through 9.1.0.10 |
Vulnerable Configuration
The vulnerability is only exploitable when TLS mutual authentication (client authentication) is enabled. Specifically, the SSLClientAuth directive must be set to any value other than "0" or "None". IBM classifies this configuration as "uncommon" in typical deployments, but it is standard practice in enterprise environments implementing zero trust architectures, particularly in financial services, government, and healthcare.
Vendor Security History
IBM's security response for IBM HTTP Server in 2026 shows a pattern of bundled multi-CVE disclosures. In May 2026 alone, IBM PSIRT issued multiple security bulletins:
- A May 13, 2026 bulletin covering multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server that affect IBM Business Automation Workflow.
- A May 18, 2026 bulletin addressing multiple vulnerabilities in IBM HTTP Server shipped with IBM DevOps Code ClearCase.
- Bulletins addressing IBM WebSphere Liberty vulnerabilities including SSRF (CVE-2026-1561) and hard coded cryptographic key issues.
The current bulletin addressing nine CVEs simultaneously, with one critical and multiple high severity issues sharing the same CWE-94 classification, suggests accumulated security debt in the HTTP Server component. The absence of available workarounds for any of the nine CVEs indicates that the vulnerabilities are deeply embedded in the server's code and cannot be mitigated through configuration changes alone.
The Hong Kong CERT also issued an advisory (HKCERT) on May 20, 2026 covering multiple vulnerabilities in IBM WebSphere products, further indicating the breadth of the issue.
References
- CVE-2026-8855 Detail, NVD
- IBM Security Bulletin: IBM HTTP Server is affected by multiple vulnerabilities (Node 7274065)
- IBM Fix Central: IBM HTTP Server Interim Fixes (Node 7239806)
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CVE-2026-9170 Threat Intelligence, Feedly
- CISA Adds Two Known Exploited Vulnerabilities to Catalog (May 21, 2026)
- Fix List for IBM HTTP Server Version 9.0
- FLRT Security APAR Information
- IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Business Automation Workflow
- IBM Security Bulletin: Multiple Vulnerabilities in IBM HTTP Server shipped with IBM DevOps Code ClearCase
- HKCERT: IBM WebSphere Products Multiple Vulnerabilities
- TechChannel: The Web Server Landscape: Where IBM HTTP Server Fits In
- Grand View Research: Application Server Market Size, Share, Industry Report 2030



