CVE-2026-8855 IBM CVE debrief

Who should care

Organizations running IBM HTTP Server 8.5 or 9.0 with TLS mutual authentication enabled, particularly those in regulated industries requiring strong client authentication. System administrators, security engineers, and compliance teams responsible for web server infrastructure and TLS configuration management.

Technical summary

The vulnerability exists in IBM HTTP Server's handling of TLS mutual authentication. When client authentication is enabled, an attacker can exploit improper code generation controls (CWE-94) to achieve remote code execution or cause denial of service. The attack requires network access but is mitigated by high attack complexity. No privileges or user interaction are required. The vulnerability affects all platforms where IBM HTTP Server 8.5.x before 8.5.5.30 and 9.0.x before 9.0.5.29 are deployed with TLS client authentication enabled.

Defensive priority

HIGH

Recommended defensive actions

• Review IBM HTTP Server deployments for TLS mutual authentication (client authentication) configurations.
• Upgrade IBM HTTP Server to version 8.5.5.30 or later for 8.5.x deployments, or version 9.0.5.29 or later for 9.0.x deployments.
• If immediate patching is not feasible, consider disabling TLS mutual authentication as a temporary risk reduction measure, understanding this may impact authentication requirements.
• Monitor IBM security bulletins for additional remediation guidance.
• Review access logs for anomalous TLS handshake patterns or client certificate authentication attempts that may indicate exploitation attempts.

Evidence notes

CVE published 2026-05-26T18:16:57.170Z; modified 2026-05-26T20:25:33.130Z. CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. CPE criteria confirm affected versions 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.28. Not listed in CISA KEV.

Official resources