ZeroPath at Black Hat USA 2026

IBM WebSphere Application Server CVE-2026-9311: Brief Summary of a Critical RCE via Security Control Bypass

A brief summary of CVE-2026-9311, a CVSS 9.0 remote code execution vulnerability in IBM WebSphere Application Server 8.5 and 9.0 caused by a code injection flaw that bypasses existing security controls. No workarounds are available; patching is the only remediation path.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

IBM WebSphere Application Server CVE-2026-9311: Brief Summary of a Critical RCE via Security Control Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A critical code injection vulnerability in IBM WebSphere Application Server allows unauthenticated remote attackers to bypass security controls and execute arbitrary code, with the potential to impact resources beyond the WebSphere process boundary itself. With approximately 2,819 verified companies running WebSphere Application Server across enterprise and government sectors, and IBM confirming that no workarounds exist, this vulnerability demands immediate attention from any organization still running versions 8.5 or 9.0.

What makes CVE-2026-9311 particularly notable is not just its CVSS 9.0 severity rating, but the pattern it continues. This is the third critical RCE vulnerability scoring 9.0 or higher to affect these same WebSphere versions in three consecutive years, following CVE-2023-23477 (CVSS 9.8) and CVE-2025-36038 (CVSS 9.0). The CVSS vector string for CVE-2026-9311 is identical to CVE-2025-36038, suggesting the attack surface and impact profile remain fundamentally unchanged despite prior remediation efforts.

Technical Information

Root Cause: CWE-94 Code Injection via Security Control Bypass

CVE-2026-9311 is classified under CWE-94: Improper Control of Generation of Code ("Code Injection"). This weakness class occurs when a product constructs all or part of a code segment using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code.

The core mechanism involves an attacker injecting control plane data into the user controlled data plane, which alters the execution of the process. Unlike other vulnerability classes that require additional conditions to achieve code execution, injection flaws of this type only need the injected data to be parsed by the interpreter, making them particularly dangerous.

IBM's security bulletin describes the vulnerability as remote code execution "caused by the bypass of security controls." This phrasing indicates that WebSphere contains protective mechanisms designed to restrict code generation or execution, and that these mechanisms were circumvented, allowing attacker controlled input to influence code construction and execution.

CVSS v3.1 Vector Breakdown

The full CVSS v3.1 vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:

CVSS MetricValueInterpretation
Attack Vector (AV)NetworkExploitable remotely over a network
Attack Complexity (AC)HighRequires specialized conditions beyond attacker control
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo user action required
Scope (S)ChangedImpacts resources beyond the vulnerable component
Confidentiality (C)HighTotal information disclosure
Integrity (I)HighTotal system compromise
Availability (A)HighTotal service disruption

The High attack complexity is worth noting: it indicates that successful exploitation requires conditions beyond the attacker's control, such as specific server configurations, deployed applications, or timing considerations. This may slow initial exploit development. However, the None values for both Privileges Required and User Interaction mean the attack can be launched by any unauthenticated remote attacker without requiring any victim action.

The Scope: Changed designation is the most consequential metric here. It means exploitation can propagate beyond the WebSphere process boundary to affect other system components, potentially enabling lateral movement within enterprise environments. This is consistent with code injection vulnerabilities where the injected code can access resources that the attacker is otherwise prevented from accessing, including bypassing protection mechanisms, gaining privileges or assuming identity, executing unauthorized commands, and hiding activities.

CWE-94 in Context

CWE-94 sits within a broader taxonomy of injection vulnerabilities. It is a child of CWE-74 (Injection) and CWE-913 (Improper Control of Dynamically Managed Code Resources), and a parent of CWE-95 (Eval Injection), CWE-96 (Static Code Injection), and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine).

Associated CAPEC attack patterns include:

CAPEC IDNameDescription
CAPEC-242Code InjectionDirect injection of arbitrary code into a vulnerable program
CAPEC-35Leverage Executable Code in Non-Executable FilesPlacing executable code in file types not expected to be executable
CAPEC-77Manipulating User-Controlled VariablesAltering variables under user control to change program behavior

MITRE rates the likelihood of exploit for CWE-94 as Medium, though the specific implementation in WebSphere with a CVSS 9.0 score elevates the practical risk significantly.

Co-Disclosure with CVE-2026-9330

The same IBM security bulletin (node/7274733) addresses CVE-2026-9330, another remote code execution vulnerability. The co-disclosure of two independent RCE flaws in the same bulletin suggests that either a coordinated audit uncovered multiple issues, or that the security architecture of these WebSphere versions contains multiple exploitable paths. Both vulnerabilities are addressed by the same fix packs, tied to APAR PH71453.

Remediation: No Workarounds, Patch Only

IBM has explicitly stated that no workarounds or mitigations are available for this vulnerability. The only remediation path is applying the specified fix packs or interim fixes:

Affected Version RangeRequired Remediation
WebSphere AS V9.0.0.0 through 9.0.5.28Apply Fix Pack 9.0.5.29 or later, or apply Interim Fix for PH71453
WebSphere AS V8.5.0.0 through 8.5.5.29Apply Fix Pack 8.5.5.30 or later, or apply Interim Fix for PH71453

The interim fix should be treated as a temporary measure until the full fix pack can be applied.

Defense in Depth While Patching

Given the complete absence of workarounds, organizations should implement layered defenses while patches are being deployed:

  1. Network segmentation: Isolate WebSphere Application Server instances from untrusted networks using firewalls and micro-segmentation to reduce the attack surface for the network accessible vector.
  2. Accelerated patch deployment: Prioritize CVE-2026-9311 remediation above other maintenance activities given the CVSS 9.0 score and lack of workarounds.
  3. Intrusion monitoring: Deploy intrusion detection and prevention systems to identify potential exploitation attempts targeting the code injection vector.
  4. Address CVE-2026-9330 simultaneously: The same security bulletin addresses CVE-2026-9330, another RCE vulnerability. Ensure patching covers both CVEs.

Affected Systems and Versions

The following IBM WebSphere Application Server versions are affected:

  • IBM WebSphere Application Server 9.0: Versions 9.0.0.0 through 9.0.5.28
  • IBM WebSphere Application Server 8.5: Versions 8.5.0.0 through 8.5.5.29

The fix is delivered through:

  • Fix Pack 9.0.5.29 or later (for the 9.0 line)
  • Fix Pack 8.5.5.30 or later (for the 8.5 line)
  • Interim Fix for APAR PH71453 (for both lines, as a temporary measure)

Organizations running any version within these ranges should treat patching as an emergency operation. The NVD record was published on June 1, 2026, and has been marked for NVD enrichment efforts; no CVSS v4.0 score has been assigned yet, meaning severity assessment may evolve.

Vendor Security History

IBM WebSphere Application Server versions 8.5 and 9.0 have accumulated a concerning track record of critical RCE vulnerabilities over recent years:

CVE IDYearCVSSCWEDescription
CVE-2026-931120269.0CWE-94RCE via bypass of security controls (code injection)
CVE-2026-93302026Not yet scoredNot yet classifiedRCE (co-disclosed with CVE-2026-9311)
CVE-2026-86332026CriticalNot yet classifiedRCE in Web Server Plug-ins for WebSphere AS 8.5 and 9.0
CVE-2025-3603820259.0CWE-502RCE via deserialization of untrusted data
CVE-2023-2347720239.8CWE-502RCE via improper handling of Java object deserialization

The pattern here is clear: deserialization and code injection have been persistent attack vectors in WebSphere AS 8.5 and 9.0 across multiple years. The identical CVSS vector strings for CVE-2026-9311 and CVE-2025-36038 (both CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) suggest similar fundamental weaknesses in the security architecture of these product versions.

SentinelOne documented CVE-2023-23477 as a vulnerability that could allow "an unauthenticated attacker to achieve complete system compromise." The New York State Office of Information Technology Services issued advisory 2020-081 specifically highlighting that WebSphere RCE vulnerabilities could be used to "gain access to the underlying operating system."

Three critical RCE vulnerabilities scoring 9.0 or higher in the same product versions across three consecutive years raises a legitimate question: whether the security hardening applied between disclosures is addressing symptoms rather than root causes. Organizations running WebSphere AS 8.5 or 9.0 should consider not only patching this individual CVE but also evaluating whether continued reliance on these product versions represents an acceptable long-term risk posture. Migration to WebSphere Application Server Liberty or alternative platforms may warrant strategic consideration.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization