Introduction
A critical code injection vulnerability in IBM WebSphere Application Server allows unauthenticated remote attackers to bypass security controls and execute arbitrary code, with the potential to impact resources beyond the WebSphere process boundary itself. With approximately 2,819 verified companies running WebSphere Application Server across enterprise and government sectors, and IBM confirming that no workarounds exist, this vulnerability demands immediate attention from any organization still running versions 8.5 or 9.0.
What makes CVE-2026-9311 particularly notable is not just its CVSS 9.0 severity rating, but the pattern it continues. This is the third critical RCE vulnerability scoring 9.0 or higher to affect these same WebSphere versions in three consecutive years, following CVE-2023-23477 (CVSS 9.8) and CVE-2025-36038 (CVSS 9.0). The CVSS vector string for CVE-2026-9311 is identical to CVE-2025-36038, suggesting the attack surface and impact profile remain fundamentally unchanged despite prior remediation efforts.
Technical Information
Root Cause: CWE-94 Code Injection via Security Control Bypass
CVE-2026-9311 is classified under CWE-94: Improper Control of Generation of Code ("Code Injection"). This weakness class occurs when a product constructs all or part of a code segment using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code.
The core mechanism involves an attacker injecting control plane data into the user controlled data plane, which alters the execution of the process. Unlike other vulnerability classes that require additional conditions to achieve code execution, injection flaws of this type only need the injected data to be parsed by the interpreter, making them particularly dangerous.
IBM's security bulletin describes the vulnerability as remote code execution "caused by the bypass of security controls." This phrasing indicates that WebSphere contains protective mechanisms designed to restrict code generation or execution, and that these mechanisms were circumvented, allowing attacker controlled input to influence code construction and execution.
CVSS v3.1 Vector Breakdown
The full CVSS v3.1 vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| CVSS Metric | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over a network |
| Attack Complexity (AC) | High | Requires specialized conditions beyond attacker control |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No user action required |
| Scope (S) | Changed | Impacts resources beyond the vulnerable component |
| Confidentiality (C) | High | Total information disclosure |
| Integrity (I) | High | Total system compromise |
| Availability (A) | High | Total service disruption |
The High attack complexity is worth noting: it indicates that successful exploitation requires conditions beyond the attacker's control, such as specific server configurations, deployed applications, or timing considerations. This may slow initial exploit development. However, the None values for both Privileges Required and User Interaction mean the attack can be launched by any unauthenticated remote attacker without requiring any victim action.
The Scope: Changed designation is the most consequential metric here. It means exploitation can propagate beyond the WebSphere process boundary to affect other system components, potentially enabling lateral movement within enterprise environments. This is consistent with code injection vulnerabilities where the injected code can access resources that the attacker is otherwise prevented from accessing, including bypassing protection mechanisms, gaining privileges or assuming identity, executing unauthorized commands, and hiding activities.
CWE-94 in Context
CWE-94 sits within a broader taxonomy of injection vulnerabilities. It is a child of CWE-74 (Injection) and CWE-913 (Improper Control of Dynamically Managed Code Resources), and a parent of CWE-95 (Eval Injection), CWE-96 (Static Code Injection), and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine).
Associated CAPEC attack patterns include:
| CAPEC ID | Name | Description |
|---|---|---|
| CAPEC-242 | Code Injection | Direct injection of arbitrary code into a vulnerable program |
| CAPEC-35 | Leverage Executable Code in Non-Executable Files | Placing executable code in file types not expected to be executable |
| CAPEC-77 | Manipulating User-Controlled Variables | Altering variables under user control to change program behavior |
MITRE rates the likelihood of exploit for CWE-94 as Medium, though the specific implementation in WebSphere with a CVSS 9.0 score elevates the practical risk significantly.
Co-Disclosure with CVE-2026-9330
The same IBM security bulletin (node/7274733) addresses CVE-2026-9330, another remote code execution vulnerability. The co-disclosure of two independent RCE flaws in the same bulletin suggests that either a coordinated audit uncovered multiple issues, or that the security architecture of these WebSphere versions contains multiple exploitable paths. Both vulnerabilities are addressed by the same fix packs, tied to APAR PH71453.
Remediation: No Workarounds, Patch Only
IBM has explicitly stated that no workarounds or mitigations are available for this vulnerability. The only remediation path is applying the specified fix packs or interim fixes:
| Affected Version Range | Required Remediation |
|---|---|
| WebSphere AS V9.0.0.0 through 9.0.5.28 | Apply Fix Pack 9.0.5.29 or later, or apply Interim Fix for PH71453 |
| WebSphere AS V8.5.0.0 through 8.5.5.29 | Apply Fix Pack 8.5.5.30 or later, or apply Interim Fix for PH71453 |
The interim fix should be treated as a temporary measure until the full fix pack can be applied.
Defense in Depth While Patching
Given the complete absence of workarounds, organizations should implement layered defenses while patches are being deployed:
- Network segmentation: Isolate WebSphere Application Server instances from untrusted networks using firewalls and micro-segmentation to reduce the attack surface for the network accessible vector.
- Accelerated patch deployment: Prioritize CVE-2026-9311 remediation above other maintenance activities given the CVSS 9.0 score and lack of workarounds.
- Intrusion monitoring: Deploy intrusion detection and prevention systems to identify potential exploitation attempts targeting the code injection vector.
- Address CVE-2026-9330 simultaneously: The same security bulletin addresses CVE-2026-9330, another RCE vulnerability. Ensure patching covers both CVEs.
Affected Systems and Versions
The following IBM WebSphere Application Server versions are affected:
- IBM WebSphere Application Server 9.0: Versions 9.0.0.0 through 9.0.5.28
- IBM WebSphere Application Server 8.5: Versions 8.5.0.0 through 8.5.5.29
The fix is delivered through:
- Fix Pack 9.0.5.29 or later (for the 9.0 line)
- Fix Pack 8.5.5.30 or later (for the 8.5 line)
- Interim Fix for APAR PH71453 (for both lines, as a temporary measure)
Organizations running any version within these ranges should treat patching as an emergency operation. The NVD record was published on June 1, 2026, and has been marked for NVD enrichment efforts; no CVSS v4.0 score has been assigned yet, meaning severity assessment may evolve.
Vendor Security History
IBM WebSphere Application Server versions 8.5 and 9.0 have accumulated a concerning track record of critical RCE vulnerabilities over recent years:
| CVE ID | Year | CVSS | CWE | Description |
|---|---|---|---|---|
| CVE-2026-9311 | 2026 | 9.0 | CWE-94 | RCE via bypass of security controls (code injection) |
| CVE-2026-9330 | 2026 | Not yet scored | Not yet classified | RCE (co-disclosed with CVE-2026-9311) |
| CVE-2026-8633 | 2026 | Critical | Not yet classified | RCE in Web Server Plug-ins for WebSphere AS 8.5 and 9.0 |
| CVE-2025-36038 | 2025 | 9.0 | CWE-502 | RCE via deserialization of untrusted data |
| CVE-2023-23477 | 2023 | 9.8 | CWE-502 | RCE via improper handling of Java object deserialization |
The pattern here is clear: deserialization and code injection have been persistent attack vectors in WebSphere AS 8.5 and 9.0 across multiple years. The identical CVSS vector strings for CVE-2026-9311 and CVE-2025-36038 (both CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) suggest similar fundamental weaknesses in the security architecture of these product versions.
SentinelOne documented CVE-2023-23477 as a vulnerability that could allow "an unauthenticated attacker to achieve complete system compromise." The New York State Office of Information Technology Services issued advisory 2020-081 specifically highlighting that WebSphere RCE vulnerabilities could be used to "gain access to the underlying operating system."
Three critical RCE vulnerabilities scoring 9.0 or higher in the same product versions across three consecutive years raises a legitimate question: whether the security hardening applied between disclosures is addressing symptoms rather than root causes. Organizations running WebSphere AS 8.5 or 9.0 should consider not only patching this individual CVE but also evaluating whether continued reliance on these product versions represents an acceptable long-term risk posture. Migration to WebSphere Application Server Liberty or alternative platforms may warrant strategic consideration.
References
- NVD: CVE-2026-9311
- IBM Security Bulletin: IBM WebSphere Application Server is affected by remote code execution (CVE-2026-9311, CVE-2026-9330)
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- IBM Security Bulletin: CVE-2025-36038 (Prior WebSphere RCE)
- SentinelOne: CVE-2023-23477 IBM WebSphere Application Server RCE Flaw
- CISA Known Exploited Vulnerabilities Catalog
- NYS ITS Advisory 2020-081: IBM WebSphere Application Server RCE
- HKCERT: IBM WebSphere Products Multiple Vulnerabilities (May 2026)
- Companies using IBM WebSphere Application Server (Landbase)
- 6Sense: IBM WebSphere Application Server Market Share
- IBM Security Bulletins Overview



