TL;DR: WebSphere Web Server Plug-ins HTTP request smuggling, classified as CWE-444 (Inconsistent Interpretation of HTTP Requests, HTTP Request Smuggling). Vendor (IBM PSIRT): 7.5 HIGH. The NVD score reflects worst-case network attack assumptions; the vendor score reflects observed exploitation complexity. Patch on the higher score, hunt on the worst-case vector.
What This Vulnerability Is
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 9.0. IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
The National Vulnerability Database assigned this issue a CVSS base score of 7.5, placing it in the HIGH category. The identifier CVE-2026-8620 was published on 26 May 2026. The weakness class is CWE-444 (Inconsistent Interpretation of HTTP Requests, HTTP Request Smuggling).
- CVE Identifier
- CVE-2026-8620
- CVSS Base Score
- 7.5 / 10.0 (HIGH)
- CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N- Weakness Class
- CWE-444 (Inconsistent Interpretation of HTTP Requests, HTTP Request Smuggling)
- Published
- 26 May 2026
- Vendor Advisory
- https://www.ibm.com/support/pages/node/7274072
- NVD Entry
- https://nvd.nist.gov/vuln/detail/CVE-2026-8620
How a Sherlock Forensic Examiner Triages a Suspected WebSphere Plug-in Compromise
If you suspect HTTP request smuggling has been exploited against a WebSphere Application Server fronted by the IBM Web Server Plug-ins the first artifact a Sherlock forensic examiner pulls is the plug-in trace log. Default location is /opt/IBM/WebSphere/Plugins/logs/http_plugin.log or under your custom configuration. Look for entries showing requests forwarded to backend servers with unexpected Content-Length and Transfer-Encoding header combinations within the suspected exploitation window.
The second artifact is the upstream WebSphere access log. The downstream upstream desync that defines request smuggling means the front-end logs one request while the backend services a different request. Compare the front-end IBM HTTP Server access log against the backend WebSphere SystemOut.log for the same window. Mismatched request counts or backend requests with no corresponding front-end entry are the exploitation signature.
The third artifact is the application layer audit log. Smuggled requests bypass front-end authentication and reach the application directly. Pull the WebSphere security audit log (security.xml audit configuration) and any application-level audit logs. Look for actions attributed to one user account that align with smuggled-request timestamps from the plug-in trace.
The fourth artifact is the database query log if your application exposes one. Smuggled requests that reach the backend often carry parameters intended to extract or modify backend data. Cross-reference application audit log timestamps with database query timestamps for the same window. Unusual queries from application service accounts during smuggling windows are the lateral-movement indicator.
Detection Signature
Illustrative Sigma rule for SIEM-based detection. Tune thresholds to your baseline before production deployment.
title: WebSphere Plug-in Request Smuggling Signature CVE-2026-8620
id: cve-2026-8620-websphere-smuggle
status: experimental
description: Detects HTTP request smuggling patterns consistent with CVE-2026-8620 against WebSphere Plug-ins.
logsource:
category: webserver
detection:
selection:
cs-uri-query|re: '(Transfer-Encoding.*chunked.*Content-Length|Content-Length.*Transfer-Encoding.*chunked)'
condition: selection
level: high
What to Do About It
- Apply the vendor patch. Follow the vendor advisory for the current patched version. Patch on the NVD-9.8 worst-case scoring rather than the vendor-reduced scoring; the NVD score reflects the worst-case attacker scenario, which is what your incident response plan should be built around.
- Run the forensic triage above on any system showing the indicator pattern. The forensic angle in this analysis is grounded in primary-source NVD data and Sherlock incident response methodology. If your team lacks the bandwidth, an external incident response engagement closes the gap.
- Subscribe to the CISA Known Exploited Vulnerabilities catalog. The CISA KEV catalog tracks CVEs with confirmed in-the-wild exploitation. Treat additions to the KEV catalog as emergency patch tickets.
- Document your response. Record what you checked, what you patched and what residual risk remains. This matters for compliance and for any incident response activity that follows.