IBM WebSphere Liberty Identity Spoofing Vulnerability (CVE-2026-3621)

hello@craftedsignal.io — Thu, 23 Apr 2026 00:18:31 +0000

CVE-2026-3621 identifies an identity spoofing vulnerability affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4. This vulnerability arises when applications are deployed on WebSphere Liberty without authentication or authorization mechanisms configured. An attacker could potentially exploit this flaw to impersonate legitimate users or services, gaining unauthorized access to resources and performing actions on their behalf. This vulnerability was reported to IBM and assigned a CVSS v3.1 base score of 7.5, indicating a high potential impact. Successful exploitation allows for unauthorized actions and data access within the vulnerable WebSphere Liberty environment.

Attack Chain

An attacker identifies a WebSphere Liberty instance running a vulnerable version (17.0.0.3 - 26.0.0.4).
The attacker determines that an application is deployed on the WebSphere Liberty instance without proper authentication or authorization configurations.
The attacker crafts a malicious request, spoofing the identity of a legitimate user. This might involve manipulating HTTP headers or other request parameters.
The malicious request is sent to the vulnerable application on the WebSphere Liberty server.
The WebSphere Liberty server, lacking proper authentication checks, processes the request under the forged identity.
The attacker gains unauthorized access to resources or performs actions associated with the spoofed identity.
The attacker can potentially escalate privileges by accessing administrative functions or sensitive data accessible to the spoofed user.

Impact

Successful exploitation of CVE-2026-3621 can lead to significant consequences. An attacker could gain unauthorized access to sensitive data, modify application configurations, or perform actions on behalf of legitimate users, potentially leading to data breaches, service disruption, or complete system compromise. The vulnerability is particularly concerning for organizations that rely on WebSphere Liberty for critical applications and have not implemented proper authentication and authorization controls. The number of affected organizations is currently unknown but will depend on the prevalence of vulnerable WebSphere Liberty instances deployed without adequate security measures.

Recommendation

Apply appropriate authentication and authorization configurations to all applications deployed on IBM WebSphere Application Server Liberty to mitigate CVE-2026-3621, as described in IBM’s advisory.
Deploy the Sigma rule “Detect WebSphere Liberty Unauthorized Access Attempt” to identify suspicious requests lacking authentication headers.
Upgrade to a non-vulnerable version of IBM WebSphere Application Server Liberty outside the range of 17.0.0.3 through 26.0.0.4.

IBM WebSphere Application Server Liberty Multiple Vulnerabilities

hello@craftedsignal.io — Wed, 25 Mar 2026 11:50:50 +0000

IBM WebSphere Application Server Liberty is affected by multiple vulnerabilities that could be exploited by a remote, authenticated attacker. According to the BSI advisory published on March 25, 2026, successful exploitation can lead to privilege escalation, circumvention of security measures, and sensitive information disclosure. While the specific CVEs and techniques are not detailed in the source material, the broad impact across multiple security domains makes this a significant risk for organizations using the affected software. Defenders should prioritize identifying WebSphere Liberty instances and implementing mitigations as they become available.

Attack Chain

The attacker authenticates to the IBM WebSphere Application Server Liberty instance using existing credentials or compromised credentials.
The attacker leverages a vulnerability in the application server to bypass access controls.
Using the bypassed access, the attacker gains access to administrative functions or APIs.
The attacker exploits a privilege escalation vulnerability to gain higher-level privileges within the application server.
With elevated privileges, the attacker accesses sensitive configuration files and data stored within the application server.
The attacker exploits a vulnerability that allows the reading of arbitrary files on the system.
The attacker exfiltrates sensitive information such as user credentials, API keys, or proprietary data.

Impact

Successful exploitation of these vulnerabilities can have severe consequences. An attacker could gain complete control over the WebSphere Application Server Liberty instance, leading to data breaches, service disruption, and potential lateral movement within the network. The number of victims and sectors targeted are currently unknown, but any organization using IBM WebSphere Application Server Liberty is potentially at risk.

Recommendation

Monitor WebSphere Liberty server logs for suspicious activity following authentication to detect potential privilege escalation attempts (reference: Attack Chain step 4).
Implement the generic privilege escalation detection rule to identify unauthorized attempts to elevate privileges (reference: rules).
Implement the security measure bypass detection rule to identify possible vulnerability abuse (reference: rules).

Websphere — CraftedSignal Threat Feed

IBM WebSphere Liberty Identity Spoofing Vulnerability (CVE-2026-3621)

Attack Chain

Impact

Recommendation

IBM WebSphere Application Server Liberty Multiple Vulnerabilities

Attack Chain

Impact

Recommendation