Description
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.
Published: 2026-06-01
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM WebSphere Application Server versions 8.5 and 9.0 contain a flaw that allows an attacker to execute arbitrary code on the server. The defect is caused by unsafe deserialization of data received through JAX‑WS web service endpoints that are enabled for WS‑Security. When an attacker sends a specially crafted SOAP message to one of these endpoints, the untrusted payload is deserialized by the server, leading to remote code execution and full compromise of the application’s integrity. This flaw is classified as CWE‑502.

Affected Systems

Affected products are IBM WebSphere Application Server 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.28. Users running these versions should review the IBM advisory and apply the recommended fixes.

Risk and Exploitability

The vulnerability scores a CVSS of 9, indicating critical severity. The EPSS score is not disclosed, and the issue is not yet listed in the CISA KEV catalog. The attack requires remote network access to the server’s SOAP endpoint; no local privileges or auxiliary credentials are needed. Because the flaw permits arbitrary code execution, the risk to confidentiality, integrity, and availability is high.

Generated by OpenCVE AI on June 1, 2026 at 20:36 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71454. For IBM WebSphere Application Server traditional: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71454 https://www.ibm.com/support/pages/node/7274234 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).  For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71454 https://www.ibm.com/support/pages/node/7274234 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page.

OpenCVE Recommended Actions

  • Apply the IBM interim fix for APAR PH71454 as documented at the IBM support page to eliminate unsafe deserialization of JAX‑WS payloads.
  • If the interim fix is not applied immediately, upgrade to the latest available Fix Pack (9.0.5.29 or later, or 8.5.5.30 or later) once it becomes available.
  • Restrict network access to the JAX‑WS endpoints used by the application and disable any WS‑Security endpoints that are unnecessary for business operations.
  • Monitor SOAP traffic for anomalous requests and investigate any suspicious activity promptly.

Generated by OpenCVE AI on June 1, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.
Title IBM WebSphere Application Server is affected by a remote code execution vulnerability
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-502
CPEs cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ibm Websphere Application Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-01T17:59:43.755Z

Reserved: 2026-05-22T20:33:29.999Z

Link: CVE-2026-9319

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:55.680

Modified: 2026-06-01T19:16:55.680

Link: CVE-2026-9319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses