External risk intelligence

IBM WebSphere Liberty SSRF Vulnerability with apiDiscovery-1.0 Enabled.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-11714

IBM WebSphere Application Server is a widely used enterprise web application and middleware platform. It is commonly deployed as a public-facing web server or API gateway. When the apiDiscovery-1.0 feature is enabled, this component is designed to interact with external requests, making it a likely candidate for exposure to internet-facing traffic.

Server-Side Request Forgery

Ibm Websphere Application Server

17.0.0.3 to before 26.0.0.8

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in IBM WebSphere Application Server, specifically within the Liberty profile when the apiDiscovery-1.0 feature is active. The flaw allows for server-side request forgery, meaning an attacker could trick the server into making requests on their behalf. This could potentially lead to unauthorized access to internal resources or sensitive data, depending on how the application server is configured and what it is connected to.

  • Server sends requests on behalf of attackers.
  • Critical vulnerability in widely used IBM software.
  • Focus on confirming impact and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can initiate a server-side request forgery by sending specially crafted requests to an exposed IBM WebSphere Application Server Liberty instance. This is possible when the `apiDiscovery-1.0` feature is enabled, allowing the attacker to trick the server into making requests to arbitrary resources. Successful exploitation could lead to significant compromise of the server's data and functionality.

  • Requires no special access or authentication.
  • Triggered via network requests to `apiDiscovery-1.0`.
  • High risk to confidentiality, integrity, and availability.

Live Threat

Current exploitation, exposure, and threat context

When the `apiDiscovery-1.0` feature is enabled, this vulnerability could allow an unauthenticated attacker to make the server issue network requests to arbitrary hosts, potentially exposing internal network resources or sensitive information.

  • Internal network access could be exposed.
  • Attackers could send forged requests to internal services.
  • Sensitive information disclosure may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The IBM WebSphere Application Server - Liberty environment, particularly when the `apiDiscovery-1.0` feature is enabled, requires attention from platform and application owners. The initial practical move is to inventory all instances of this technology, determine their exposure and criticality, and identify the accountable owner before planning remediation efforts.

  • Platform and application owners should manage this.
  • Verify `apiDiscovery-1.0` feature status and exposure.
  • Plan remediation based on asset criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM WebSphere Application Server - Liberty?

It is a lightweight, modular Java application server used by enterprises to host web applications and microservices. The Liberty profile is designed for rapid development and deployment, often serving as a backbone for complex API-driven architectures or acting as an interface between internal business logic and external network traffic.

What does CVE-2026-11714 mean for my server?

This vulnerability is classified as Server-Side Request Forgery (SSRF), identified as CWE-918. It means the application server can be tricked into acting as a proxy. Instead of processing a legitimate request, the server is manipulated into sending its own requests to unintended internal or external destinations, potentially bypassing security controls.

How is this SSRF vulnerability triggered?

The vulnerability is triggered when an attacker sends specifically crafted network requests to a server with the apiDiscovery-1.0 feature enabled. The flaw does not occur if this specific feature is disabled or not in use; the feature is the mechanism that allows the server to be misled into performing unauthorized actions on the network.

Is my IBM WebSphere instance at risk?

According to Halo Surface Signal, this software is often deployed as a public-facing gateway, making it a likely candidate for internet-facing traffic. If your instance is accessible from the internet and has the apiDiscovery-1.0 feature active, it is exposed to remote, unauthenticated requests that could be used to probe your internal network.

What should I do to address this CVE?

Start by inventorying your environment to locate all IBM WebSphere Liberty instances. Determine which systems have the apiDiscovery-1.0 feature enabled. Once you have identified these assets, assess their network exposure and work with the responsible application owners to apply official vendor updates or disable the vulnerable feature if it is not strictly required.

References