SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-9319 2026-06-01

CVE-2026-9319: Critical Deserialization Flaw in IBM WebSphere Application Server

"IBM has disclosed a critical (CVSS 9.0) remote code execution vulnerability in WebSphere Application Server 9.0 and 8.5, caused by unsafe deserialization of untrusted data through JAX-WS endpoints protected by…"

IBM has disclosed a critical (CVSS 9.0) remote code execution vulnerability in WebSphere Application Server 9.0 and 8.5, caused by unsafe deserialization of untrusted data through JAX-WS endpoints protected by WS-Security.

What Is It

CVE-2026-9319 is an insecure deserialization vulnerability (CWE-502) in IBM WebSphere Application Server. The flaw resides in the handling of JAX-WS endpoints that use WS-Security, where untrusted serialized data can be processed in a way that leads to potential remote code execution. The issue was published on 2026-06-01 by IBM PSIRT.

The CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, network-reachable, no authentication or user interaction required, but with high attack complexity. Successful exploitation results in a scope change with high impact across confidentiality, integrity, and availability.

Why It Matters

WebSphere is widely deployed as middleware in enterprise environments, frequently hosting business-critical Java applications and integrations. A deserialization bug reachable over the network without credentials is the classic pre-auth RCE pattern, and the "scope: changed" rating indicates an attacker can break out of the vulnerable component's security boundary.

This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, and no in-the-wild exploitation has been confirmed at the time of writing. The high attack complexity rating suggests reliable exploitation may require specific conditions, but historically WebSphere deserialization bugs have been weaponized quickly once details surface.

What's Vulnerable

The vulnerable code path is specifically JAX-WS endpoints configured with WS-Security. Deployments exposing SOAP web services with WS-Security policies are the primary attack surface.

Patch Status

IBM has published an advisory at the reference URL below. Administrators should consult the IBM support bulletin for the applicable interim fix, fix pack, or mitigation guidance for their WebSphere version. Given the pre-auth network-reachable RCE potential, patching or applying IBM's recommended mitigation should be prioritized, particularly for internet-exposed WebSphere instances offering SOAP/JAX-WS endpoints.

Sources