Description
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 allow an authenticated remote attacker who can influence an application‑built Object Query Language (OQL) string to control the resolution of class names via Class.forName and invoke arbitrary constructors. The vulnerable OQL engine executes constructors at three sinks—SELECT NEW, enum literals, and reflection‑based comparators—without any allow‑list or validation, permitting execution of arbitrary code on the WebSphere Application Server JVM. This flaw can lead to full compromise of the JVM running the application, exposing any data or services it hosts.

Affected Systems

The affected product is IBM WebSphere Extreme Scale simple grid deployments, specifically versions 8.6.1.0 to 8.6.1.6. Systems that use the grid solely for session caching are not affected because OQL queries are not executed against session data. Any system where the application constructs or executes OQL statements—particularly those that embed user input—faces risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score is currently unavailable, meaning the probability of exploitation in the wild cannot be quantified. The vulnerability is not listed in CISA KEV, but its impact is significant for applications exposing OQL query capabilities. Exploitability requires authenticating to the application and the ability to influence OQL query strings; once achieved, the remote attacker can execute arbitrary constructors on the JVM, potentially gaining full process control. Mitigation relies on application‑level code changes and input validation rather than a vendor patch. Users should evaluate whether their deployment uses OQL and apply the recommended safeguards.

Generated by OpenCVE AI on June 30, 2026 at 20:20 UTC.

Remediation

Vendor Solution

If eXtreme Scale is being used as a Session Cache (Session Grid), this vulnerability is not applicable. In a Session Grid deployment, applications typically use eXtreme Scale only to store and retrieve HTTP session data and do not create or execute Object Query Language (OQL) queries against the session data. As a result, the vulnerable OQL functionality is not exercised.If eXtreme Scale is being used as a Simple Grid and the application executes OQL queries, the risk can be mitigated through application code changes. Recommended mitigation strategies include:1. Never concatenate user-supplied input directly into OQL statements. Use query parameters wherever possible.2. Restrict dynamically specified class names to a predefined allow list of approved classes.3. Do not allow end users to construct or modify OQL query syntax.4. Avoid dynamically loading comparator classes or using reflection-based sorting based on user input.5. Validate and sanitize all user-supplied values before they are used to construct OQL queries.These mitigations help prevent untrusted input from influencing OQL execution and eliminate the attack paths associated with this vulnerability.

OpenCVE Recommended Actions

  • Refactor OQL statements to avoid directly concatenating user input; use query parameters or safe APIs instead.
  • Enforce a whitelist of allowed class names for OQL queries and reject any unapproved classes.
  • Validate and sanitize all values supplied by users before incorporating them into OQL statements.

Generated by OpenCVE AI on June 30, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries
Title IBM WebSphere eXtreme Scale's OQL is affected by remote code execution
First Time appeared Ibm
Ibm websphere Extreme Scale
Weaknesses CWE-470
CPEs cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Extreme Scale
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Websphere Extreme Scale
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:21:43.212Z

Reserved: 2026-06-29T21:47:01.091Z

Link: CVE-2026-13772

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T20:30:04Z

Weaknesses
  • CWE-470

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')