Inconsistent interpretation of HTTP requests in IBM WebSphere Application Server Liberty - CVE-2026-11806
Published: July 10, 2026
IBM WebSphere Application Server Liberty
Detailed vulnerability description
The vulnerability allows a remote privileged user to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests with the restConnector-2.0 feature enabled. A remote privileged user can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.