A critical unauthenticated remote code execution flaw in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty allows attackers to execute arbitrary code via a specially crafted request.
What Is It
CVE-2026-8633 is a code injection vulnerability (CWE-94) affecting the Web Server Plug-ins component of IBM WebSphere Application Server and WebSphere Application Server Liberty. According to IBM PSIRT, a specially crafted request sent to the Web Server Plug-ins can trigger remote code execution on the underlying server.
The flaw carries a CVSS 3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That combination, network-reachable, low complexity, no privileges or user interaction required, with full impact to confidentiality, integrity, and availability, places this firmly in the "patch immediately" tier.
Why It Matters
WebSphere Web Server Plug-ins typically sit in front of application servers as the bridge between web servers (IHS, Apache, IIS) and WebSphere back-ends, meaning they are commonly exposed at the network edge. An unauthenticated RCE in this position gives an attacker pre-auth code execution on infrastructure that often handles enterprise application traffic, sessions, and credentials.
The CVE was published 2026-05-26 and is currently listed by NVD as "Undergoing Analysis." No CISA KEV entry was supplied with this advisory, so active exploitation has not been confirmed via KEV at this time. Given the severity and pre-auth nature, defenders should not wait on KEV confirmation before patching.
What's Vulnerable
Per IBM's description, the affected products are:
- IBM Web Server Plug-ins for WebSphere Application Server versions 8.5 and 9.0
- IBM WebSphere Application Server and WebSphere Application Server Liberty running the affected plug-ins
NVD has not yet enumerated specific CPEs for this entry. Operators should consult the IBM advisory for precise fix-pack levels and any interim mitigations.
Patch Status
IBM has published an advisory at the reference URL below describing the issue and remediation. Administrators running WebSphere 8.5 or 9.0 with the Web Server Plug-ins should review the IBM support note, apply the vendor-provided fix pack or interim fix, and audit edge-facing WebSphere/IHS deployments for exposure.