Introduction
IBM's Web Server Plug-ins for WebSphere Application Server have a recurring problem with HTTP request smuggling, and CVE-2026-9170 is the latest manifestation. Disclosed on May 26, 2026, this CVSS 7.5 vulnerability enables unauthenticated attackers to exploit inconsistent HTTP request parsing between the plug-in intermediary and back-end servers, opening the door to denial of service, data exfiltration, and potentially remote code execution.
What makes this disclosure particularly consequential is its context: the same IBM security bulletin also addresses CVE-2026-8633, a CVSS 9.8 critical remote code execution vulnerability in the same component. Organizations running WebSphere with Web Server Plug-ins, a population that includes 759 companies with 10,000 or more employees according to 6Sense market data, face compound risk from two distinct attack vectors resolved by the same set of patches. IBM has confirmed that no workarounds exist for either vulnerability.
Technical Information
Root Cause: CWE-444 and Inconsistent HTTP Parsing
CVE-2026-9170 is classified under CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'). The vulnerability exists in the IBM Web Server Plug-ins, which act as an HTTP intermediary between a front-end web server (such as IBM HTTP Server, Apache, or IIS) and the WebSphere Application Server or Liberty back end.
The core issue is a discrepancy in how the plug-in and the front-end web server interpret HTTP request boundaries. When an attacker crafts a request with ambiguous or contradictory boundary-defining headers, specifically Content-Length and Transfer-Encoding, the front-end server and the plug-in disagree on where one request ends and the next begins. This disagreement allows the attacker to "smuggle" a hidden second request past the front-end server's security controls, delivering it directly to the back-end application server.
Per the CWE-444 definition from MITRE, this type of request smuggling is performed through a "multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation." The IBM Web Server Plug-ins architecture is a textbook example of this pattern: the plug-in sits between the external web server and WebSphere, making it the exact type of intermediary where parsing inconsistencies create exploitable smuggling vectors.
CVSS Vector Analysis
The CVSS v3.1 vector for CVE-2026-9170 is AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N, which breaks down as follows:
| Metric | Value | Significance |
|---|---|---|
| Attack Vector | Network | Exploitable remotely without local access |
| Attack Complexity | High | Requires specific conditions or sophisticated technique |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Changed | Exploitation crosses trust boundaries |
| Confidentiality | High | Total information disclosure possible |
| Integrity | Low | Limited data modification possible |
| Availability | None | No direct availability impact per CVSS scoring |
The Changed Scope designation is particularly important. It indicates that a successful exploit against the plug-in can impact resources beyond the plug-in itself, specifically the back-end WebSphere Application Server or Liberty instance and any applications running on it. The High Confidentiality impact means a smuggled request reaching the back end could expose sensitive application data, session tokens, or internal service responses.
It is worth noting that while the CVSS vector rates availability impact as None, IBM's own description states the vulnerability enables "denial of service," suggesting that the practical impact may exceed what the CVSS vector captures.
IBM HTTP Server and SSLEnable Configuration
An important detail from IBM's cumulative security interim fix documentation: CVE-2026-9170 specifically affects IBM HTTP Server deployments where SSLEnable is configured. IBM characterizes this as a "common" configuration, meaning a large share of production IHS instances are likely exposed. The IBM HTTP Server component carries a separate severity assessment under CWE-94 (Improper Control of Generation of Code / Code Injection) with a critical CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network-reachable, unauthenticated exploitation with full confidentiality, integrity, and availability impact.
Attack Flow
Based on the CWE-444 classification and the architecture of the IBM Web Server Plug-ins, a typical exploitation flow would proceed as follows:
-
Reconnaissance: The attacker identifies a target running IBM HTTP Server with Web Server Plug-ins proxying to WebSphere Application Server or Liberty. The presence of the plug-in can often be inferred from HTTP response headers or behavioral characteristics.
-
Request Crafting: The attacker constructs an HTTP request with ambiguous boundary semantics. For example, a request might include both a
Content-Lengthheader and aTransfer-Encoding: chunkedheader with values that cause the front-end server and the plug-in to disagree on the request body length. -
Smuggling Injection: The front-end server processes what it believes is a single, complete request and forwards it to the plug-in. The plug-in, interpreting the boundaries differently, treats part of the body as the beginning of a new, separate request.
-
Exploitation: The smuggled second request bypasses any security controls enforced by the front-end server (WAF rules, authentication checks, IP restrictions) and is processed directly by the back-end WebSphere instance. Depending on the smuggled request's content, this can lead to:
- Data exfiltration: Accessing protected endpoints or sensitive resources on the back end
- Session hijacking: Interleaving the smuggled request with a legitimate user's subsequent request, capturing their session
- Cache poisoning: Causing a caching layer to store a malicious response and serve it to other users
- Denial of service: Sending malformed or resource-intensive requests that degrade back-end performance
-
Potential Code Execution: IBM's description explicitly mentions "potential remote code execution." If the smuggled request reaches a back-end endpoint vulnerable to injection (particularly relevant given the companion CVE-2026-8633, which involves CWE-94 code injection), the attacker could chain the smuggling vector with the code injection surface for full remote code execution.
The Companion Vulnerability: CVE-2026-8633
The same IBM security bulletin that addresses CVE-2026-9170 also covers CVE-2026-8633, a CVSS 9.8 critical remote code execution vulnerability classified under CWE-94 (Improper Control of Generation of Code / Code Injection). Both vulnerabilities affect the same products and are resolved by the same APAR (PH71342 for plug-ins, PH71265 for IHS). The co-occurrence of an HTTP smuggling flaw and a code injection flaw in the same component creates a compounding risk: even if direct exploitation of one vector is mitigated by network controls, the other may provide an alternative path to the same back-end systems.
Patch Information
Because CVE-2026-9170 sits at the intersection of the IBM HTTP Server and the Web Server Plug-ins, administrators need to evaluate and apply patches to both components for full remediation. IBM published official fixes on May 26, 2026.
IBM HTTP Server: APAR PH71265 (Interim Fix IFPH71265)
This is the primary fix for CVE-2026-9170 in the IBM HTTP Server itself. The vulnerability specifically affects IHS deployments where SSLEnable is configured, which IBM characterizes as a common configuration.
| Product Version | Interim Fix | Future Fix Pack |
|---|---|---|
| V9.0 (9.0.0.0 through 9.0.5.28) | Upgrade to minimum required fix pack level, then apply IFPH71265 | Fix Pack 9.0.5.29 (targeted 3Q2026) |
| V8.5 (8.5.0.0 through 8.5.5.29) | Upgrade to minimum required fix pack level, then apply IFPH71265 | Fix Pack 8.5.5.30 (targeted 3Q2026) |
IFPH71265 is published as a Cumulative Security Interim Fix (CSIF), meaning it supersedes and rolls up all prior IHS security fixes (including PH71061, PH70572, PH68462, and others). Platform-specific packages are available via Fix Central for multiple fix pack levels: 9.0.5.25, 9.0.5.26, 9.0.5.27 on the 9.0 track and 8.5.5.28, 8.5.5.29 on the 8.5 track. Archive packages (without IBM Installation Manager) are also available for Windows x86_64, Linux x86_64, Linux s390x, Linux ppc64le, and AIX ppc64.
IBM Web Server Plug-ins: APAR PH71342 (Interim Fix IFPH71342)
This fix addresses the plug-in component, which acts as the HTTP intermediary where the CWE-444 smuggling vector manifests. This bulletin also covers CVE-2026-8633 (CVSS 9.8 RCE) and CVE-2026-8620 (CWE-444, CVSS 7.5).
| Product Version | Interim Fix | Future Fix Pack |
|---|---|---|
| V9.0 (9.0.0.0 through 9.0.5.27) | Apply 9.0.5.24-WS-WASPlugIn-IFPH71342 (covers 9.0.5.24 through 9.0.5.27) | Fix Pack 9.0.5.28 (targeted 2Q2026) |
| V8.5 (8.5.0.0 through 8.5.5.29) | Apply 8.5.5.25-WS-WASPlugIn-IFPH71342 (covers 8.5.5.25 through 8.5.5.29) | Fix Pack 8.5.5.30 (targeted 3Q2026) |
Key Patching Considerations
IBM has explicitly stated that no workarounds or mitigations exist for either component. Applying the interim fixes or upgrading to the forthcoming fix packs is the only remediation path.
Given the 9.8 CVSS score on the companion CVE-2026-8633 and the network-reachable, no-authentication attack vector, organizations should prioritize the interim fix approach rather than waiting for fix pack releases later in 2026. The Web Server Plug-ins component is described by IBM as "optional and separately installable," so organizations that have not deployed this component may not be directly impacted by the plug-in-specific vulnerabilities, but should still evaluate their IHS exposure.
While IBM does not endorse workarounds, organizations awaiting patch deployment may consider compensating measures based on general CWE-444 defense principles: deploying IDS/IPS rules capable of detecting HTTP request smuggling patterns (such as contradictory Content-Length and Transfer-Encoding headers), configuring WAF rules to reject requests with ambiguous boundary-defining headers, and enforcing HTTP/2 where operationally feasible, as HTTP/2's binary framing inherently avoids the request boundary ambiguity that enables smuggling.
Affected Systems and Versions
The following products and versions are affected:
| Affected Product | Affected Versions | Platforms |
|---|---|---|
| IBM Web Server Plug-ins for WebSphere Application Server | 8.5.0.0 through 8.5.5.29, 9.0.0.0 through 9.0.5.27 | AIX, IBM i, Linux, Windows, z/OS, Mac OS |
| IBM Web Server Plug-ins for WebSphere Liberty | 8.5.0.0 through 8.5.5.29, 9.0.0.0 through 9.0.5.27 | AIX, IBM i, Linux, Windows, z/OS, Mac OS |
| IBM HTTP Server | 8.5.0.0 through 8.5.5.29, 9.0.0.0 through 9.0.5.28 | AIX, IBM i, Linux, Windows, z/OS, Mac OS |
Affected editions include Advanced, Base, Developer, Enterprise, Express, Network Deployment, Single Server, and Liberty.
Vulnerable configuration note: For the IBM HTTP Server component, the vulnerability specifically requires SSLEnable to be configured, which IBM describes as a common configuration in production environments.
The Web Server Plug-ins component is optional and separately installable. Organizations that have not deployed this component are not directly impacted by the plug-in-specific attack vector, but should still assess their IBM HTTP Server exposure.
Vendor Security History
IBM WebSphere has experienced a notable volume of security vulnerabilities, with a pattern of recurring CWE-444 HTTP request smuggling issues in the Web Server Plug-ins component specifically:
| CVE | CVSS | Type | Year |
|---|---|---|---|
| CVE-2026-8633 | 9.8 Critical | Remote Code Execution (CWE-94) | 2026 |
| CVE-2026-8620 | 7.5 High | HTTP Request Smuggling (CWE-444) | 2026 |
| CVE-2026-9170 | 7.5 High | HTTP Request Smuggling (CWE-444) | 2026 |
| CVE-2026-5516 | Not specified | Security Bypass | 2026 |
| CVE-2026-1561 | Not specified | SSRF | 2026 |
| CVE-2025-14915 | Not specified | Privilege Escalation | 2025 |
| CVE-2022-34165 | Medium | HTTP Request Smuggling (CWE-444) | 2022 |
The most directly relevant precedent is CVE-2022-34165, which was also an HTTP request smuggling vulnerability (CWE-444) in the Web Server Plug-ins component. That vulnerability affected WebSphere AS versions 7.0 through 9.0.5.13 and Liberty versions 17.0.0.3 through 22.0.0.9, and enabled HTTP cache poisoning and phishing attacks. The recurrence of the same weakness class in the same component across a four-year span, from 2022 through 2026, suggests a persistent architectural issue in how the Web Server Plug-ins handle HTTP request parsing rather than isolated implementation bugs.
IBM maintains a well-established Product Security Incident Response Team (PSIRT) and publishes security bulletins through its support portal. The advisory for this set of vulnerabilities was published on May 26, 2026, the same day the NVD entry appeared, indicating coordinated disclosure. However, the NVD record is currently flagged as "Undergoing Enrichment," and the GitHub Advisory Database entry (GHSA-q578-5vf7-89mr) is marked as "Unreviewed" with patched versions listed as "Unknown," suggesting the broader security community has not yet fully processed the remediation information.
References
- NVD: CVE-2026-9170
- CVE Record: CVE-2026-9170
- IBM Security Bulletin: WebSphere Application Server and Liberty Web Server Plug-ins (CVE-2026-8633, CVE-2026-8620)
- IBM Security Bulletin: IBM HTTP Server Vulnerability
- IBM Cumulative Security Interim Fix Download Page
- IBM WebSphere Fix Pack Information
- GitHub Advisory: GHSA-q578-5vf7-89mr
- CWE-444: Inconsistent Interpretation of HTTP Requests (MITRE)
- OffSeq Radar: CVE-2026-9170 Threat Analysis
- Tenable: CVE-2026-9170
- 6Sense: IBM WebSphere Application Server Market Share
- cybersecurity-help.cz: HTTP Request Smuggling in IBM WebSphere (CVE-2022-34165)
- F5 Labs: Weekly Threat Bulletin, January 28, 2026
- IBM Security Bulletins for WebSphere Application Server
- IBM Security Vulnerability Management



