IBM has disclosed a critical (CVSS 9.0) remote code execution vulnerability in WebSphere Application Server 9.0 and 8.5, caused by a bypass of security controls that allows unauthenticated attackers to execute arbitrary code over the network.
What Is It
CVE-2026-9311 is a remote code execution flaw in IBM WebSphere Application Server, tracked under CWE-94 (Improper Control of Generation of Code). According to IBM PSIRT, the vulnerability stems from a bypass of security controls in the product, enabling an attacker to achieve code execution on affected servers. The issue was published on 2026-06-01 by IBM's product security team.
Why It Matters
The CVSS 3.1 base score is 9.0 (CRITICAL), with a vector of AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. Key properties:
- Network attack vector: exploitable remotely.
- No privileges or user interaction required: unauthenticated.
- Scope: Changed: successful exploitation can impact resources beyond the vulnerable component.
- High impact to confidentiality, integrity, and availability.
Attack complexity is rated High, meaning successful exploitation likely requires specific conditions rather than being trivial. WebSphere is widely deployed as an enterprise Java application server hosting business-critical workloads, so an RCE with scope change in such an environment is a high-severity exposure.
This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog based on the supplied data, so there is no confirmation of active in-the-wild exploitation at the time of writing.
What's Vulnerable
Per IBM's advisory, the following are affected:
- IBM WebSphere Application Server 9.0
- IBM WebSphere Application Server 8.5
No specific affected CPE list was provided in the NVD record at publication.
Patch Status
IBM has published an advisory at support page node 7274733 covering this issue. Administrators of WebSphere Application Server 9.0 and 8.5 deployments should consult the IBM advisory for the applicable fix pack, interim fix, or mitigation guidance and apply it as soon as possible given the CVSS 9.0 rating and unauthenticated network reachability.
The NVD entry is currently in "Received" status, meaning analysis is still pending and additional metadata (such as affected CPE ranges) may be added later.