CVE-2026-3621

High

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3621 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Ibm (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely identification, reporting, and correction of flaws like CVE-2026-3621 in IBM WebSphere Liberty directly prevents identity spoofing exploitation.

CM-6 Configuration Settings good match

prevent

Establishing and enforcing secure configuration settings ensures applications are deployed with authentication and authorization enabled, eliminating the vulnerable condition.

AC-3 Access Enforcement good match

prevent

Enforcing approved authorizations for access directly mitigates identity spoofing by verifying identities and restricting unauthorized actions in WebSphere Liberty.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing WebSphere server enables exploitation for initial access (T1190) and allows low-privileged identity spoofing leading to privilege escalation (T1068) due to improper privilege management.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.

Deeper analysisAI

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 are affected by CVE-2026-3621, a vulnerability enabling identity spoofing under limited conditions. This issue arises specifically when an application is deployed without authentication and authorization configured, as detailed in the CVE description published on 2026-04-23. The vulnerability is associated with CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.

Exploitation requires network access, high attack complexity, and low privileges (PR:L), with no user interaction needed. A low-privileged attacker could leverage the identity spoofing to impersonate other users or entities under the specified conditions, potentially achieving high-level compromise of confidentiality, integrity, and availability for the affected application.

IBM has published a security advisory with details on mitigation at https://www.ibm.com/support/pages/node/7270437. Security practitioners should consult this reference for patch availability, configuration guidance, and upgrade recommendations to address the vulnerability.