IBM HTTP Server 8.5 and 9.0 contain a code injection flaw (CWE-94) that allows unauthenticated remote code execution and denial of service when TLS mutual (client) authentication is configured.
What Is It
CVE-2026-8855 is a remote code execution and denial-of-service vulnerability in IBM HTTP Server, disclosed by IBM PSIRT on 2026-05-26. The flaw is classified as CWE-94 (Improper Control of Generation of Code) and is triggered in deployments configured with TLS mutual authentication, where the server requires client certificates.
NVD's primary CVSS v3.1 score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network reachable, no authentication, no user interaction, full impact to confidentiality, integrity, and availability. IBM's secondary score is 8.1 (High), differing on attack complexity.
Why It Matters
IBM HTTP Server is widely deployed as a front-end web tier for WebSphere Application Server and other enterprise IBM stacks, often terminating TLS for internal applications. Mutual TLS is specifically used in high-trust deployments, banking portals, B2B integrations, regulated industries, where exploitation can lead directly to code execution on a perimeter or DMZ host. An unauthenticated RCE in that position is a direct path to lateral movement into internal application infrastructure.
The CISA KEV catalog does not currently list CVE-2026-8855, so there is no confirmed in-the-wild exploitation at the time of writing.
What's Vulnerable
Affected versions per NVD CPE data:
- IBM HTTP Server 8.5: from 8.5.0.0 up to (but not including) 8.5.5.30
- IBM HTTP Server 9.0: from 9.0.0.0 up to (but not including) 9.0.5.29
The flaw applies across supported operating systems including AIX, z/OS, Linux, and Windows. Only configurations using TLS mutual authentication (client certificate authentication) are exposed.
Patch Status
IBM has published fixes in the following versions:
- IBM HTTP Server 8.5.5.30
- IBM HTTP Server 9.0.5.29
Administrators should upgrade to a fixed release. As an interim measure on instances that cannot be immediately patched, review whether TLS mutual authentication is required, and follow the mitigation guidance in the IBM advisory.