IBM Support

PH71590:IBM WEBSPHERE APPLICATION SERVER IS VULNERABLE TO IDENTITY SPOOFING (CVE-2026-8644)

Download


Downloadable File

File linkFile sizeFile description
   
   
   
   
   

Abstract

IBM WEBSPHERE APPLICATION SERVER IS VULNERABLE TO IDENTITY SPOOFING (CVE-2026-8644)

Download Description

The fix for this APAR is targeted for inclusion in 8.5.5.30 and 9.0.5.29.

For more information, see: Recommended Updates for WebSphere Application Server

Download Package

IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.  

Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. 
 

IBM Installation Manager packages

DOWNLOADAPPLICABLE FIX PACKSRELEASE DATE

URL

9.0.5.28-WS-WAS-IFPH715909.0.5.2816 Jun 2026FC
9.0.5.27-WS-WAS-IFPH715909.0.5.2712 Jun 2026FC
9.0.5.25-WS-WAS-IFPH715909.0.5.25 through 9.0.5.2612 Jun 2026FC
9.0.5.24-WS-WAS-IFPH715909.0.5.2412 Jun 2026FC
9.0.5.20-WS-WAS-IFPH715909.0.5.20 through 9.0.5.2312 Jun 2026FC
8.5.5.28-WS-WAS-IFPH715908.5.5.28 through 8.5.5.2912 Jun 2026FC
8.5.5.25-WS-WAS-IFPH715908.5.5.25 through 8.5.5.2712 Jun 2026FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH71590, PH71422, PH58798, PH58869, PH59304, PH59438, PH61068, PH61808, PH62052, PH63778, PH64005, PH65121, PH65161, PH65873

Change History

  • 2026/06/01: Correct description of range for 9.0.5.24-WS-WAS-IFPH71422
  • 2026/06/12: There might be a performance impact caused by the fix for PH71422. The fixes for PH71422 are replaced by PH71590.
  • 2026/06/16: Add IFPH71590 for 9.0.5.28

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m3p000000F7xdAAC","label":"WebSphere Application Server traditional-All Platforms"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.5"}]

Problems (APARS) fixed
PH71422, PH58798, PH58869, PH59304, PH59438, PH61068, PH61808, PH62052, PH63778, PH64005, PH65121, PH65161, PH65873

Document Information

Modified date:
17 June 2026

UID

ibm17274652