ZeroPath at Black Hat USA 2026

IBM WebSphere Web Server Plug-ins CVE-2026-9170: HTTP Request Smuggling with a Critical Companion CVE — Quick Look

A brief summary of CVE-2026-9170, a high severity HTTP request smuggling vulnerability in IBM Web Server Plug-ins for WebSphere Application Server and Liberty, including patch details and its relationship to a companion CVSS 9.8 remote code execution flaw addressed in the same bulletin.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-26

IBM WebSphere Web Server Plug-ins CVE-2026-9170: HTTP Request Smuggling with a Critical Companion CVE — Quick Look
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

IBM's Web Server Plug-ins for WebSphere Application Server have a recurring problem with HTTP request smuggling, and CVE-2026-9170 is the latest manifestation. Disclosed on May 26, 2026, this CVSS 7.5 vulnerability enables unauthenticated attackers to exploit inconsistent HTTP request parsing between the plug-in intermediary and back-end servers, opening the door to denial of service, data exfiltration, and potentially remote code execution.

What makes this disclosure particularly consequential is its context: the same IBM security bulletin also addresses CVE-2026-8633, a CVSS 9.8 critical remote code execution vulnerability in the same component. Organizations running WebSphere with Web Server Plug-ins, a population that includes 759 companies with 10,000 or more employees according to 6Sense market data, face compound risk from two distinct attack vectors resolved by the same set of patches. IBM has confirmed that no workarounds exist for either vulnerability.

Technical Information

Root Cause: CWE-444 and Inconsistent HTTP Parsing

CVE-2026-9170 is classified under CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'). The vulnerability exists in the IBM Web Server Plug-ins, which act as an HTTP intermediary between a front-end web server (such as IBM HTTP Server, Apache, or IIS) and the WebSphere Application Server or Liberty back end.

The core issue is a discrepancy in how the plug-in and the front-end web server interpret HTTP request boundaries. When an attacker crafts a request with ambiguous or contradictory boundary-defining headers, specifically Content-Length and Transfer-Encoding, the front-end server and the plug-in disagree on where one request ends and the next begins. This disagreement allows the attacker to "smuggle" a hidden second request past the front-end server's security controls, delivering it directly to the back-end application server.

Per the CWE-444 definition from MITRE, this type of request smuggling is performed through a "multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation." The IBM Web Server Plug-ins architecture is a textbook example of this pattern: the plug-in sits between the external web server and WebSphere, making it the exact type of intermediary where parsing inconsistencies create exploitable smuggling vectors.

CVSS Vector Analysis

The CVSS v3.1 vector for CVE-2026-9170 is AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N, which breaks down as follows:

MetricValueSignificance
Attack VectorNetworkExploitable remotely without local access
Attack ComplexityHighRequires specific conditions or sophisticated technique
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
ScopeChangedExploitation crosses trust boundaries
ConfidentialityHighTotal information disclosure possible
IntegrityLowLimited data modification possible
AvailabilityNoneNo direct availability impact per CVSS scoring

The Changed Scope designation is particularly important. It indicates that a successful exploit against the plug-in can impact resources beyond the plug-in itself, specifically the back-end WebSphere Application Server or Liberty instance and any applications running on it. The High Confidentiality impact means a smuggled request reaching the back end could expose sensitive application data, session tokens, or internal service responses.

It is worth noting that while the CVSS vector rates availability impact as None, IBM's own description states the vulnerability enables "denial of service," suggesting that the practical impact may exceed what the CVSS vector captures.

IBM HTTP Server and SSLEnable Configuration

An important detail from IBM's cumulative security interim fix documentation: CVE-2026-9170 specifically affects IBM HTTP Server deployments where SSLEnable is configured. IBM characterizes this as a "common" configuration, meaning a large share of production IHS instances are likely exposed. The IBM HTTP Server component carries a separate severity assessment under CWE-94 (Improper Control of Generation of Code / Code Injection) with a critical CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network-reachable, unauthenticated exploitation with full confidentiality, integrity, and availability impact.

Attack Flow

Based on the CWE-444 classification and the architecture of the IBM Web Server Plug-ins, a typical exploitation flow would proceed as follows:

  1. Reconnaissance: The attacker identifies a target running IBM HTTP Server with Web Server Plug-ins proxying to WebSphere Application Server or Liberty. The presence of the plug-in can often be inferred from HTTP response headers or behavioral characteristics.

  2. Request Crafting: The attacker constructs an HTTP request with ambiguous boundary semantics. For example, a request might include both a Content-Length header and a Transfer-Encoding: chunked header with values that cause the front-end server and the plug-in to disagree on the request body length.

  3. Smuggling Injection: The front-end server processes what it believes is a single, complete request and forwards it to the plug-in. The plug-in, interpreting the boundaries differently, treats part of the body as the beginning of a new, separate request.

  4. Exploitation: The smuggled second request bypasses any security controls enforced by the front-end server (WAF rules, authentication checks, IP restrictions) and is processed directly by the back-end WebSphere instance. Depending on the smuggled request's content, this can lead to:

    • Data exfiltration: Accessing protected endpoints or sensitive resources on the back end
    • Session hijacking: Interleaving the smuggled request with a legitimate user's subsequent request, capturing their session
    • Cache poisoning: Causing a caching layer to store a malicious response and serve it to other users
    • Denial of service: Sending malformed or resource-intensive requests that degrade back-end performance
  5. Potential Code Execution: IBM's description explicitly mentions "potential remote code execution." If the smuggled request reaches a back-end endpoint vulnerable to injection (particularly relevant given the companion CVE-2026-8633, which involves CWE-94 code injection), the attacker could chain the smuggling vector with the code injection surface for full remote code execution.

The Companion Vulnerability: CVE-2026-8633

The same IBM security bulletin that addresses CVE-2026-9170 also covers CVE-2026-8633, a CVSS 9.8 critical remote code execution vulnerability classified under CWE-94 (Improper Control of Generation of Code / Code Injection). Both vulnerabilities affect the same products and are resolved by the same APAR (PH71342 for plug-ins, PH71265 for IHS). The co-occurrence of an HTTP smuggling flaw and a code injection flaw in the same component creates a compounding risk: even if direct exploitation of one vector is mitigated by network controls, the other may provide an alternative path to the same back-end systems.

Patch Information

Because CVE-2026-9170 sits at the intersection of the IBM HTTP Server and the Web Server Plug-ins, administrators need to evaluate and apply patches to both components for full remediation. IBM published official fixes on May 26, 2026.

IBM HTTP Server: APAR PH71265 (Interim Fix IFPH71265)

This is the primary fix for CVE-2026-9170 in the IBM HTTP Server itself. The vulnerability specifically affects IHS deployments where SSLEnable is configured, which IBM characterizes as a common configuration.

Product VersionInterim FixFuture Fix Pack
V9.0 (9.0.0.0 through 9.0.5.28)Upgrade to minimum required fix pack level, then apply IFPH71265Fix Pack 9.0.5.29 (targeted 3Q2026)
V8.5 (8.5.0.0 through 8.5.5.29)Upgrade to minimum required fix pack level, then apply IFPH71265Fix Pack 8.5.5.30 (targeted 3Q2026)

IFPH71265 is published as a Cumulative Security Interim Fix (CSIF), meaning it supersedes and rolls up all prior IHS security fixes (including PH71061, PH70572, PH68462, and others). Platform-specific packages are available via Fix Central for multiple fix pack levels: 9.0.5.25, 9.0.5.26, 9.0.5.27 on the 9.0 track and 8.5.5.28, 8.5.5.29 on the 8.5 track. Archive packages (without IBM Installation Manager) are also available for Windows x86_64, Linux x86_64, Linux s390x, Linux ppc64le, and AIX ppc64.

IBM Web Server Plug-ins: APAR PH71342 (Interim Fix IFPH71342)

This fix addresses the plug-in component, which acts as the HTTP intermediary where the CWE-444 smuggling vector manifests. This bulletin also covers CVE-2026-8633 (CVSS 9.8 RCE) and CVE-2026-8620 (CWE-444, CVSS 7.5).

Product VersionInterim FixFuture Fix Pack
V9.0 (9.0.0.0 through 9.0.5.27)Apply 9.0.5.24-WS-WASPlugIn-IFPH71342 (covers 9.0.5.24 through 9.0.5.27)Fix Pack 9.0.5.28 (targeted 2Q2026)
V8.5 (8.5.0.0 through 8.5.5.29)Apply 8.5.5.25-WS-WASPlugIn-IFPH71342 (covers 8.5.5.25 through 8.5.5.29)Fix Pack 8.5.5.30 (targeted 3Q2026)

Key Patching Considerations

IBM has explicitly stated that no workarounds or mitigations exist for either component. Applying the interim fixes or upgrading to the forthcoming fix packs is the only remediation path.

Given the 9.8 CVSS score on the companion CVE-2026-8633 and the network-reachable, no-authentication attack vector, organizations should prioritize the interim fix approach rather than waiting for fix pack releases later in 2026. The Web Server Plug-ins component is described by IBM as "optional and separately installable," so organizations that have not deployed this component may not be directly impacted by the plug-in-specific vulnerabilities, but should still evaluate their IHS exposure.

While IBM does not endorse workarounds, organizations awaiting patch deployment may consider compensating measures based on general CWE-444 defense principles: deploying IDS/IPS rules capable of detecting HTTP request smuggling patterns (such as contradictory Content-Length and Transfer-Encoding headers), configuring WAF rules to reject requests with ambiguous boundary-defining headers, and enforcing HTTP/2 where operationally feasible, as HTTP/2's binary framing inherently avoids the request boundary ambiguity that enables smuggling.

Affected Systems and Versions

The following products and versions are affected:

Affected ProductAffected VersionsPlatforms
IBM Web Server Plug-ins for WebSphere Application Server8.5.0.0 through 8.5.5.29, 9.0.0.0 through 9.0.5.27AIX, IBM i, Linux, Windows, z/OS, Mac OS
IBM Web Server Plug-ins for WebSphere Liberty8.5.0.0 through 8.5.5.29, 9.0.0.0 through 9.0.5.27AIX, IBM i, Linux, Windows, z/OS, Mac OS
IBM HTTP Server8.5.0.0 through 8.5.5.29, 9.0.0.0 through 9.0.5.28AIX, IBM i, Linux, Windows, z/OS, Mac OS

Affected editions include Advanced, Base, Developer, Enterprise, Express, Network Deployment, Single Server, and Liberty.

Vulnerable configuration note: For the IBM HTTP Server component, the vulnerability specifically requires SSLEnable to be configured, which IBM describes as a common configuration in production environments.

The Web Server Plug-ins component is optional and separately installable. Organizations that have not deployed this component are not directly impacted by the plug-in-specific attack vector, but should still assess their IBM HTTP Server exposure.

Vendor Security History

IBM WebSphere has experienced a notable volume of security vulnerabilities, with a pattern of recurring CWE-444 HTTP request smuggling issues in the Web Server Plug-ins component specifically:

CVECVSSTypeYear
CVE-2026-86339.8 CriticalRemote Code Execution (CWE-94)2026
CVE-2026-86207.5 HighHTTP Request Smuggling (CWE-444)2026
CVE-2026-91707.5 HighHTTP Request Smuggling (CWE-444)2026
CVE-2026-5516Not specifiedSecurity Bypass2026
CVE-2026-1561Not specifiedSSRF2026
CVE-2025-14915Not specifiedPrivilege Escalation2025
CVE-2022-34165MediumHTTP Request Smuggling (CWE-444)2022

The most directly relevant precedent is CVE-2022-34165, which was also an HTTP request smuggling vulnerability (CWE-444) in the Web Server Plug-ins component. That vulnerability affected WebSphere AS versions 7.0 through 9.0.5.13 and Liberty versions 17.0.0.3 through 22.0.0.9, and enabled HTTP cache poisoning and phishing attacks. The recurrence of the same weakness class in the same component across a four-year span, from 2022 through 2026, suggests a persistent architectural issue in how the Web Server Plug-ins handle HTTP request parsing rather than isolated implementation bugs.

IBM maintains a well-established Product Security Incident Response Team (PSIRT) and publishes security bulletins through its support portal. The advisory for this set of vulnerabilities was published on May 26, 2026, the same day the NVD entry appeared, indicating coordinated disclosure. However, the NVD record is currently flagged as "Undergoing Enrichment," and the GitHub Advisory Database entry (GHSA-q578-5vf7-89mr) is marked as "Unreviewed" with patched versions listed as "Unknown," suggesting the broader security community has not yet fully processed the remediation information.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization