CVE-2026-8855 - Vulnerability Details - OpenCVE

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Http Server

No data.

No data.

No data.

References

Link	Providers
https://www.ibm.com/support/pages/node/7274065

History

Tue, 26 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
Title		IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared		Ibm Ibm http Server
Weaknesses		CWE-94
CPEs		cpe:2.3:a:ibm:http_server:8.5.0:::::::* cpe:2.3:a:ibm:http_server:8.5:::::::* cpe:2.3:a:ibm:http_server:9.0.0:::::::* cpe:2.3:a:ibm:http_server:9.0:::::::*
Vendors & Products		Ibm Ibm http Server
References		https://www.ibm.com/support/pages/node/7274065
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-26T16:58:54.958Z

Updated: 2026-05-26T16:58:54.958Z

Reserved: 2026-05-18T16:27:17.633Z

Link: CVE-2026-8855

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-05-26T18:16:57.170

Modified: 2026-05-26T19:06:14.330

Link: CVE-2026-8855

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8855", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-05-18T16:27:17.633Z", "datePublished": "2026-05-26T16:58:54.958Z", "dateUpdated": "2026-05-26T16:58:54.958Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-05-26T16:58:54.958Z"}, "title": "IBM HTTP Server is affected by multiple vulnerabilities", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "HTTP Server", "versions": [{"status": "affected", "version": "8.5.0", "lessThanOrEqual": "Interim Fix 002", "versionType": "semver"}, {"status": "affected", "version": "9.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7274065", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--\u00b7 Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).\u00a0For V8.5.0.0 through 8.5.5.29:\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--\u00b7 Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\u00a0Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.</p><p><strong>For IBM HTTP Server used by IBM WebSphere Application Server:</strong></p><p><strong>For V9.0.0.0 through 9.0.5.28:</strong><br>\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7239806\" rel=\"nofollow\">PH71265</a><br>--OR--<br>\u00b7 Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). </p><p><strong>For V8.5.0.0 through 8.5.5.29:</strong><br>\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7239806\" rel=\"nofollow\">PH71265</a><br>--OR--<br>\u00b7 Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).</p><p> Additional interim fixes may be available and linked off the interim fix download page.</p><p>Important Note</p><p>IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}