CVE-2026-13759 - Vulnerability Details

Description

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

Published: 2026-06-30

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IBM WebSphere Extreme Scale 8.6.1.x contains insecure deserialization handling due to three custom ObjectInputStream subclasses that lack a JEP-290 class filter. When the Coherence library is present on the classpath, legitimate or malicious payloads can be crafted to trigger known gadget chains such as RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator. The result is the execution of arbitrary code within the Java Virtual Machine of a peer WebSphere Application Server (WAS), effectively compromising the confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected product is IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6. Users running any of these releases on servers that incorporate Coherence are susceptible to this vulnerability.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Potential attackers need either post-login access that permits writing to a session attribute or a LAN‑adjacent position on the grid replication wire to exploit the flaw. Once the gadget chain is activated, the attacker can achieve remote code execution on the peer JVM with no further privileged interaction required. Given the severity and the fact that the required conditions are commonly satisfied in distributed Extreme Scale deployments, the overall risk is considered high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

WebSphere Extreme Scale

affected

Version	Status	Constraints
`8.6.1.0`	affected	≤ 8.6.1.6

No data.

No data available yet.

Remediation

Vendor Solution

We recommend customer to enable encryption. Please follow the link to enable encryption. https://www.ibm.com/docs/en/wxs/latest?topic=sydgies-securing-data-that-flows-between-extreme-scale-clients-servers-ssl-encryption. For extra security customer can enable JEP 290 global JVM deserialization filter (-Djdk.serialFilter) while starting catalog and container servers.JEP 290 is available from 8.0.8.5 onwards.

OpenCVE Recommended Actions

Enable SSL/TLS encryption for all data flowing between Extreme Scale clients and servers to prevent attackers from tampering with transmitted objects.
Set the global JVM deserialization filter by starting catalog and container servers with the JVM argument -Djdk.serialFilter; JEP‑290 is available from JDK 8.0.8.5 onward.
Restrict network exposure of the grid replication interface and limit LAN‑adjacent access so that only trusted hosts can participate in replication traffic.

Generated by OpenCVE AI on June 30, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.ibm.com/support/pages/node/7278595

History

Tue, 30 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs
Title		IBM WebSphere eXtreme Scale is affected by Insecure Deserilization
First Time appeared		Ibm Ibm websphere Extreme Scale
Weaknesses		CWE-502
CPEs		cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:::::::* cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:::::::*
Vendors & Products		Ibm Ibm websphere Extreme Scale
References		https://www.ibm.com/support/pages/node/7278595
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Ibm Websphere Extreme Scale

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-30T19:24:03.665Z

Updated: 2026-06-30T19:24:03.665Z

Reserved: 2026-06-29T18:10:36.156Z

Link: CVE-2026-13759

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T20:30:04Z

Weaknesses

CWE-502
Deserialization of Untrusted Data

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object