IBM InfoSphere Information Server stores passwords unencrypted

Multiple security vulnerabilities endanger systems with IBM InfoSphere Information Server and WebSphere Application Server Liberty. Among other things, attackers can view unencrypted passwords.

Close software vulnerabilities

The most dangerous is considered a "critical" vulnerability (CVE2026-24400), which causes errors when processing XML inputs. This results in crashes (DoS). Because InfoSphere Information Server stores passwords in plain text (CVE-2025-36258 "high"), local attackers can access them unhindered.

Data can also leak in other areas (e.g. CVE-2025-14790 "medium"). In addition, XSS attacks can occur (e.g. CVE-2026-2483 "medium"). To protect systems from possible attacks, admins must install IBM InfoSphere Information Server version 11.7.1.0, 11.7.1.6 or 11.7.1.6 Service pack 2.

Waiting for security updates

IBM WebSphere Application Server Liberty is vulnerable overall due to four flaws. Among them is a prototype pollution vulnerability (CVE-2026-29063 "high"). However, attackers can also gain higher user privileges via a path not specified in detail (CVE-2025-14915 "medium").

However, according to IBM, there are no security updates for these yet. These are expected in the 2nd quarter. Until then, admins must protect systems using interim solutions linked in the following security advisories. So far, there are no indications of ongoing attacks from IBM.

• IBM WebSphere Application Server Liberty is affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063)
• IBM WebSphere Application Server Liberty is affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063)
• IBM WebSphere Application Server Liberty is affected by a privilege escalation vulnerability (CVE-2025-14915)
• IBM WebSphere Application Server Liberty is affected by server-side request forgery (CVE-2026-1561)

(des)