Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-8855: IBM HTTP Server 8.5 and 9.0 TLS Mutual Authentication Flaw

CVE-2026-8855

Summary

IBM HTTP Server versions 8.5 and 9.0 are at risk of attackers taking control of the server or making it unavailable. This is particularly concerning when clients are authenticated, as it can be exploited by anyone who has been granted access. To mitigate this issue, update to a fixed version or configure the server to use a different authentication method.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions
ibm	http_server	>= 8.5.0.0, < 8.5.5.30 >= 9.0.0.0, < 9.0.5.29 `cpe:2.3:a:ibm:http_server::::::::`

Original title

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

Original description

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

nvd CVSS3.1 8.1

Vulnerability type

CWE-94 Code Injection

https://www.ibm.com/support/pages/node/7274065

Published: 26 May 2026 · Updated: 30 May 2026 · First seen: 26 May 2026