CVE-2026-9006

Published Jun 22, 2026

Last updated 3 days ago

CVSS high 7.4

Server

Overview

Description: IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may allow an attacker to send unauthorized requests from the system, resulting in a security bypass or information disclosure.
Source: psirt@us.ibm.com
NVD status: Analyzed
Products: websphere_application_server

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.1
Impact score: 5.2
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity: CRITICAL

Weaknesses

psirt@us.ibm.com: CWE-918

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "271A774E-CAB3-4A5F-8450-EADBBA7D8AF6",
            "versionEndExcluding": "8.5.5.30",
            "versionStartIncluding": "8.5.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "BA0DBCF1-7255-420A-B0A4-04C90BAE14F6",
            "versionEndExcluding": "9.0.5.29",
            "versionStartIncluding": "9.0.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      },
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89",
            "vulnerable": false
          },
          {
            "criteria": "cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "C684FC45-C9BA-4EF0-BD06-BB289450DD21",
            "vulnerable": false
          },
          {
            "criteria": "cpe:2.3:o:ibm:z\\/os:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "0E97A964-6F9E-4C87-9B90-21AE2C1DF52F",
            "vulnerable": false
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
            "vulnerable": false
          },
          {
            "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
            "vulnerable": false
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References