External risk intelligence

IBM WebSphere Liberty SSRF Vulnerability in Admin Center

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-11546

IBM WebSphere Application Server is frequently deployed as an internet-facing web server or application middleware. The adminCenter-1.0 feature provides a web-based management interface, which is commonly exposed or accessible within network environments where administrative access might be reachable, making it a likely target for network-based interaction.

Server-Side Request Forgery

Ibm Websphere Application Server

17.0.0.3 to before 26.0.0.8

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in IBM WebSphere Application Server's Liberty feature, specifically when the adminCenter-1.0 is enabled. This issue could allow unauthenticated attackers to make arbitrary server-side requests, potentially leading to significant compromise. The primary concern is to confirm if this specific feature is active within your environment and assess any potential exposure.

  • Allows unauthorized server requests.
  • Affects critical IBM WebSphere Liberty.
  • Confirm if adminCenter-1.0 is active.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable IBM WebSphere Application Server instance that has the `adminCenter-1.0` feature enabled. This could allow the attacker to make the server send requests to arbitrary locations, potentially leading to the disclosure of sensitive information or further compromise of the server.

  • Server exposed to network.
  • Admin Center feature triggered.
  • Potential for sensitive data leakage.

Live Threat

Current exploitation, exposure, and threat context

When the `adminCenter-1.0` feature is enabled in IBM WebSphere Application Server Liberty, a server-side request forgery vulnerability could allow an unauthenticated attacker to make the server issue requests to arbitrary internal or external resources. This could expose sensitive information or disrupt services by impacting the server's network access.

  • Internal network resources or services.
  • Attacker triggers requests through the vulnerable feature.
  • Disclosure or denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in IBM WebSphere Application Server Liberty, specifically when the `adminCenter-1.0` feature is enabled, requires immediate attention from platform or application owners responsible for its deployment. The first practical step is to identify all instances of the affected WebSphere Application Server Liberty, determine their network exposure and business criticality, and then ascertain the accountable owner to initiate a risk-based remediation plan.

  • Platform and application owners must be accountable.
  • Verify `adminCenter-1.0` feature and network exposure.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM WebSphere Application Server Liberty?

It is a lightweight, modular Java application server used to build, deploy, and run cloud-native applications and microservices. It is designed for high performance and flexibility, often serving as the foundational middleware that hosts business logic and manages connections between different parts of a software ecosystem.

What does CWE-918 mean for CVE-2026-11546?

This CVE involves Server-Side Request Forgery (SSRF). In this class of weakness, a flaw in the application allows an attacker to manipulate the server into sending requests to locations the attacker chooses. Instead of the user interacting directly with internal or external systems, the vulnerable server performs those actions on the attacker's behalf, potentially bypassing access controls.

How can an attacker trigger this SSRF vulnerability?

An attacker triggers this by sending specifically crafted network requests to a server where the adminCenter-1.0 feature is enabled. This bug is not triggered if the adminCenter-1.0 feature is disabled or not installed, as the vulnerable request-handling logic is tied specifically to the functionality provided by that feature.

Why should I care about this if my server is internal?

Halo Surface Signal indicates that while these servers are often internet-facing, they are also commonly accessed within internal network environments. If an attacker gains any foothold on your network, they could reach the administration interface. Because the vulnerability allows the server to act as a proxy, it can be used to reach other sensitive internal services that were never intended to be exposed to the outside.

What should I do first to address this vulnerability?

Your immediate priority is to conduct an inventory to locate every instance of IBM WebSphere Liberty in your environment. For each instance, verify whether the adminCenter-1.0 feature is active. Once identified, document which systems are currently reachable over the network and coordinate with the relevant application owners to plan for disabling the feature or applying the necessary vendor updates.

References