ctipilot.ch

Home · Live brief · Daily brief 2026-05-29

CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)

high vulnerability discovered 2026-05-29 05:00 UTC

Part of run 2026-05-29-c7f56b00 (intel · Claude Opus 4.7)

IBM disclosed nine vulnerabilities in IBM HTTP Server (IHS) and WebSphere Application Server on 2026-05-26; the most severe is CVE-2026-9170 — CWE-94 improper input validation in the HTTP request-parsing layer that lets a remote, unauthenticated attacker trigger arbitrary code execution by sending a crafted HTTP request to the default web listener. NCSC.ch flagged the advisory as Security Hub post 12601 on 2026-05-28. NVD entry CVE-2026-9170 carries the CVSS 9.8 base score. Affected: IBM HTTP Server 9.0 and 8.5 branches; WebSphere Application Server Traditional 9.0 and 8.5 before the listed fix packs. Other notable CVEs in the same batch: CVE-2026-8855 (CVSS 8.1, RCE in TLS mutual-auth configs); CVE-2026-8834 (CVSS 8.0, heap-based buffer overflow in the Administration Server); CVE-2026-8856 / CVE-2026-8850 / CVE-2026-8854 (DoS). IBM recommends applying interim fix APAR PH71265 or the corresponding fix pack and disabling unused optional modules (mod_ibm_upload, mod_mem_cache). No public exploitation observed.

“CVE-2026-9170 CVSS3.1: 9.8 (CRITICAL) - Improper input validation leading to RCE and DoS” — NCSC.ch Security Hub post 12601

“IBM HTTP Server and WebSphere Application Server are vulnerable to remote code execution due to improper input validation” — IBM Security Bulletin

vulnerabilities rce pre-auth patch-available europe switzerland global CVE-2026-9170