SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-8644 2026-06-01

CVE-2026-8644: Critical Identity Spoofing Flaw in IBM WebSphere Application Server

"IBM has disclosed a critical (CVSS 9.1) identity spoofing vulnerability affecting WebSphere Application Server versions 9.0 and 8.5, allowing remote, unauthenticated attackers to impersonate identities and compromise…"

IBM has disclosed a critical (CVSS 9.1) identity spoofing vulnerability affecting WebSphere Application Server versions 9.0 and 8.5, allowing remote, unauthenticated attackers to impersonate identities and compromise integrity and availability.

What Is It

CVE-2026-8644 is an identity spoofing vulnerability (CWE-290: Authentication Bypass by Spoofing) in IBM WebSphere Application Server. The flaw carries a CVSS 3.1 base score of 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, meaning it is exploitable over the network, requires low attack complexity, needs no privileges, and requires no user interaction. Successful exploitation results in high impact to integrity and availability, with no direct impact to confidentiality. The CVE was published by IBM PSIRT on 2026-06-01.

Why It Matters

WebSphere Application Server is widely deployed as a backbone for enterprise Java applications, often fronting business-critical workloads, financial systems, and middleware integrations. A pre-authentication identity spoofing flaw on a network-reachable surface gives attackers a path to assume trusted identities, manipulate application logic, and disrupt service availability. The combination of unauthenticated network reach, low complexity, and HIGH integrity/availability impact places this in the upper tier of risk for any externally exposed or internally pivot-reachable WebSphere instance.

What's Vulnerable

Per IBM PSIRT, the following versions are affected:

No specific affected CPEs were enumerated in the NVD record at publication. The underlying weakness is classified as CWE-290 (Authentication Bypass by Spoofing).

Patch Status

IBM has published a security bulletin at the reference URL below describing the issue. Administrators running WebSphere Application Server 9.0 or 8.5 should consult the IBM advisory and apply the fixes or mitigations IBM specifies for their version.

This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing; no active in-the-wild exploitation has been confirmed by CISA.

Sources