Skip to content

Address CVE-2026-11546 #35201

Description

@Raison-mathew

Describe the bug
From the endpoint /ibm/api/adminCenter/v1/utils/url/getTool?url= an attacker can send any infinite/huge stream reachable from server (file:///dev/zero, file:///dev/urandom, or attacker-hosted endless body) and the api has no scheme allow-list, no size cap, no read timeout.

Steps to Reproduce
Authenticate with a user before you do the below step. This API is only accessible for an authenticated user (admin/reader).

Navigate to the endpoint and provide the any server URL for example: https://localhost:9446/ibm/api/adminCenter/v1/utils/url/getTool?url=http://localhost:9446"
Check the server for the response and it is observed that application is making an http interaction to the server.
{
"urlReachable": false,
"tool": {
"id": "",
"type": "bookmark",
"name": "",
"url": "http://localhost:9446/",
"icon": "images/tools/defaultTool_142x142.png",
"description": ""
}
}

Expected behavior
shouldn't allow url other than http or https

Diagnostic information:

  • OpenLiberty Version: [e.g. 25.0.0.9 - 26.0.0.6]
  • Affected feature(s) : adminCenter-1.0
  • Java Version: all
  • server.xml configuration (WITHOUT sensitive information like passwords)
  • If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions