Cyber Resilience

CVE-2026-3621

HighUpdated

Published: 23 April 2026

Published
23 April 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 14.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3621 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Ibm Websphere Application Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 are affected by CVE-2026-3621, a vulnerability enabling identity spoofing under limited conditions. This issue arises specifically when an application is deployed without authentication and authorization configured, as detailed in the CVE description published on 2026-04-23. The vulnerability is associated with CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.

Exploitation requires network access, high attack complexity, and low privileges (PR:L), with no user interaction needed. A low-privileged attacker could leverage the identity spoofing to impersonate other users or entities under the specified conditions, potentially achieving high-level compromise of confidentiality, integrity, and availability for the affected application.

IBM has published a security advisory with details on mitigation at https://www.ibm.com/support/pages/node/7270437. Security practitioners should consult this reference for patch availability, configuration guidance, and upgrade recommendations to address the vulnerability.

EU & UK References

Vulnerability details

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability in public-facing WebSphere server enables exploitation for initial access (T1190) and allows low-privileged identity spoofing leading to privilege escalation (T1068) due to improper privilege management.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9311Same product: Ibm Websphere Application Server
CVE-2026-8633Same product: Ibm Websphere Application Server
CVE-2025-14914Same product: Ibm Websphere Application Server
CVE-2026-8620Same product: Ibm Websphere Application Server
CVE-2026-9330Same product: Ibm Websphere Application Server
CVE-2026-9319Same product: Ibm Websphere Application Server
CVE-2026-8644Same product: Ibm Websphere Application Server
CVE-2025-14923Same product: Ibm Websphere Application Server
CVE-2026-6389Same vendor: Ibm
CVE-2025-36072Same vendor: Ibm

Affected Assets

ibm
websphere application server
17.0.0.3 — 26.0.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of flaws like CVE-2026-3621 in IBM WebSphere Liberty directly prevents identity spoofing exploitation.

prevent

Establishing and enforcing secure configuration settings ensures applications are deployed with authentication and authorization enabled, eliminating the vulnerable condition.

prevent

Enforcing approved authorizations for access directly mitigates identity spoofing by verifying identities and restricting unauthorized actions in WebSphere Liberty.

References