External risk intelligence

IBM WebSphere Ajax Proxy SSRF Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-9006

IBM WebSphere Application Server is frequently deployed as an internet-facing web application server, middleware, or API gateway. The vulnerability involves the Ajax Proxy, a component often used in web applications that may be reachable from the internet as part of the normal service exposure.

Server-Side Request Forgery

Ibm Websphere Application Server

8.5.0.0 to before 8.5.5.309.0.0.0 to before 9.0.5.29

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects IBM WebSphere Application Server, specifically when its Ajax Proxy feature is configured, potentially allowing unauthorized requests originating from your systems. This could lead to bypassing security controls or exposing sensitive information, impacting the integrity and confidentiality of your data.

  • Attackers can send fake requests from our servers.
  • This bypasses security and can expose company data.
  • Confirm if WebSphere is in use and if Ajax Proxy is enabled.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to the Ajax Proxy feature of an exposed IBM WebSphere Application Server. If the Ajax Proxy is configured, it may allow an attacker to make the server issue requests on their behalf, potentially leading to unauthorized access to internal resources or sensitive information.

  • No authentication or privileges required.
  • Ajax Proxy feature is triggered.
  • Security bypass and information disclosure.

Live Threat

Current exploitation, exposure, and threat context

When the Ajax Proxy is configured in IBM WebSphere Application Server, an attacker could send unauthorized requests from the affected system, potentially bypassing security controls or revealing sensitive information. This could occur when the proxy is exposed to external networks and not properly secured.

  • System may act on behalf of attacker.
  • Unrestricted network requests to internal or external systems.
  • Security bypass or information disclosure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical SSRF vulnerability in IBM WebSphere Application Server, particularly when the Ajax Proxy is configured, necessitates action from application owners and infrastructure teams. The initial focus should be on identifying all instances of the affected WebSphere Application Server, assessing their external reachability and business criticality, and pinpointing the accountable system owner. Planning for remediation should then proceed based on the assessed risk.

  • Application owners should drive remediation.
  • Verify Ajax Proxy configuration and exposure.
  • Plan maintenance for impacted systems.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM WebSphere Application Server?

IBM WebSphere Application Server is a middleware platform used to host, run, and manage enterprise-grade web applications. It serves as an engine that connects front-end web requests to back-end business logic and databases, supporting various IBM operating environments including z/OS, AIX, and IBM i, as well as Linux and Windows systems. It is commonly deployed to support large-scale, complex software environments.

How does CVE-2026-9006 work?

This vulnerability is a Server-Side Request Forgery (SSRF), identified as CWE-918. It occurs when a web application improperly validates user-provided input, allowing an attacker to force the server to make unauthorized requests to internal or external destinations. In this case, the weakness resides in the Ajax Proxy component, which can be manipulated to interact with resources that should otherwise be unreachable or protected by the server's security policies.

What triggers this WebSphere SSRF issue?

The vulnerability is triggered when an attacker sends a specially crafted request to the Ajax Proxy feature. Crucially, the system is only at risk if the Ajax Proxy is explicitly configured and enabled. If the Ajax Proxy component is disabled or not in use within your WebSphere environment, the specific mechanism required to facilitate these unauthorized requests is not present, and the server is not susceptible to this particular attack path.

Do I need to worry if my WebSphere is internal?

Yes, it is still relevant. According to Halo Surface Signal, WebSphere is often used as a gateway or middleware, making it a critical hub. Even if your server is not directly on the internet, an attacker who has gained a foothold inside your network could leverage an internally exposed Ajax Proxy to pivot, access restricted internal services, or reach sensitive data that would normally be shielded from the wider network.

How do I respond to CVE-2026-9006?

Start by identifying all instances of IBM WebSphere Application Server in your environment to determine if they are running affected versions. Verify if the Ajax Proxy feature is enabled on these systems. Prioritize servers with external network connectivity for assessment. Coordinate with your application and infrastructure teams to plan remediation, which involves disabling the proxy if it is not required or applying the necessary vendor-provided updates to secure the component.

References