PatchSiren cyber security CVE debrief
CVE-2026-8633 IBM CVE debrief
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 contain a critical remote code execution vulnerability. An unauthenticated attacker can exploit this flaw by sending a specially crafted request to achieve arbitrary code execution. The vulnerability resides in the Web Server Plug-ins component, which serves as the bridge between web servers and WebSphere application servers. With a CVSS 3.1 score of 9.8, this vulnerability presents severe risk due to its network attack vector, low attack complexity, and no required privileges or user interaction. The weakness is classified as CWE-94 (Improper Control of Generation of Code), indicating dangerous code injection capabilities. Organizations running affected WebSphere deployments should prioritize patching given the critical severity and potential for complete system compromise.
- Vendor
- IBM
- Product
- Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations running IBM WebSphere Application Server or WebSphere Liberty with Web Server Plug-ins versions 8.5 or 9.0; security teams responsible for Java application server infrastructure; web server administrators managing WebSphere integrations; compliance officers tracking critical vulnerability remediation timelines
Technical summary
The vulnerability exists in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0. The plug-ins, which enable web servers to forward requests to WebSphere application servers, fail to properly validate or sanitize specially crafted requests. This allows an unauthenticated remote attacker to inject and execute arbitrary code within the context of the plug-in process. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates the vulnerability is exploitable over the network without authentication, with low complexity, and can result in complete confidentiality, integrity, and availability compromise of the affected system. The CWE-94 classification confirms this is a code generation control weakness, typically associated with injection attacks that allow execution of attacker-controlled code.
Defensive priority
critical
Recommended defensive actions
- Apply security updates from IBM as referenced in the vendor advisory when available
- Restrict network access to Web Server Plug-in endpoints to trusted sources where possible
- Monitor WebSphere plug-in logs for anomalous request patterns indicative of exploitation attempts
- Review WebSphere deployment architecture to ensure plug-in components are not exposed to untrusted networks unnecessarily
- Validate that Web Application Firewall rules can detect and block malformed requests targeting WebSphere plug-in endpoints
Evidence notes
CVE description confirms RCE in Web Server Plug-ins; CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H supports critical rating; CWE-94 classification indicates code injection weakness; IBM PSIRT reference provided as authoritative source.
Official resources
-
CVE-2026-8633 CVE record
CVE.org
-
CVE-2026-8633 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-26