PatchSiren cyber security CVE debrief
CVE-2026-9170 IBM CVE debrief
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0 contain an improper input validation vulnerability (CWE-444) that may allow denial of service and potential remote code execution. The vulnerability affects IBM WebSphere Application Server and WebSphere Application Server Liberty. IBM has published a security bulletin with remediation guidance. The NVD entry shows this vulnerability is currently undergoing analysis with a CVSS 3.1 vector of AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N, indicating network attack vector, high attack complexity, no privileges required, no user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact.
- Vendor
- IBM
- Product
- HTTP Server
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations running IBM WebSphere Application Server or WebSphere Liberty with Web Server Plug-ins versions 8.5 or 9.0, particularly those with externally exposed web server front-ends. Security teams responsible for Java application server infrastructure and those managing hybrid cloud deployments using WebSphere Liberty.
Technical summary
The vulnerability stems from improper input validation (CWE-444) in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty. Affected versions include 8.5 and 9.0. The flaw may enable denial of service conditions and potentially allow remote code execution. Attack complexity is rated high per the CVSS vector, suggesting exploitation may require specific conditions or crafted requests. The changed scope (S:C) in the CVSS vector indicates the vulnerable component impacts resources beyond its security scope.
Defensive priority
HIGH
Recommended defensive actions
- Review IBM security bulletin for affected product versions and available fixes
- Apply vendor-provided patches or updates when available
- Implement network segmentation to limit exposure of WebSphere management interfaces
- Monitor for anomalous requests to Web Server Plug-in endpoints
- Review access controls on WebSphere Application Server and Liberty deployments
Evidence notes
CVE published 2026-05-26T18:16:57.987Z; modified 2026-05-26T19:06:14.330Z. IBM PSIRT reference confirms vendor acknowledgment. NVD status: Undergoing Analysis. CVSS 3.1 vector provided in source metadata.
Official resources
-
CVE-2026-9170 CVE record
CVE.org
-
CVE-2026-9170 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-26