CVE-2026-8644: IBM WebSphere Application Server is affected by an identity spoofing vulnerability
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Identity spoofing vulnerability in IBM WebSphere Application Server 9.0 and 8.5 allows a remote, unauthenticated attacker to impersonate arbitrary identities. The vulnerability is reachable over the network with no credentials required and no victim interaction needed, making it trivially exploitable from any internet-accessible host. Successful exploitation gives the attacker the ability to manipulate server-side data and disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment IBM publishes a fix.
HarborGuard Coverage
Detection capability for CVE-2026-8644 is available across every HarborGuard environment. Affected images are matched against the upstream advisory feed within minutes of publication, including custom-built images derived from WebSphere Application Server 9.0 or 8.5 base layers.
AvailableHarborGuard scores this CVE at 9.1 CRITICAL using the published CVSS v3.1 vector, and that score is available for weighting against each customer environment's compliance policy. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on severity thresholds and asset ownership rules.
AvailableNo fix version has been published by IBM for this vulnerability. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the WebSphere Application Server over the network; any internet-accessible or internally routable instance is exposed.
- AuthenticationNot required
No credentials or existing account are needed; the attacker can trigger the vulnerability as an anonymous, unauthenticated caller.
- Victim interactionNot required
No user action is required; the attacker exploits the vulnerability directly against the server without any social-engineering step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- Attacker impersonates arbitrary user identities, bypassing access controls on protected server resources.
- Attacker modifies application state, configuration data, or persisted records accessible under spoofed identities.
- Attacker disrupts service availability, causing the affected WebSphere instance to become unresponsive or crash.
- Any workload or backend system that trusts identity assertions from the affected WebSphere instance is transitively exposed to unauthorized access.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged as CRITICAL with a 9.1 CVSS score and is matched against all customer images containing IBM WebSphere Application Server 9.0 or 8.5 within minutes of ingestion. Because IBM has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will automatically initiate a rebuild once an upstream fix is released; for customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include placing network-policy rules in front of affected WebSphere instances to restrict inbound access to known trusted sources, applying egress filtering to limit lateral movement if a host is compromised, and reviewing any downstream services that consume identity assertions from WebSphere for additional validation layers.
- IBM / WebSphere Application Server≤ 1.1.9.12 · 8.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H