ZeroPath at Black Hat USA 2026

IBM WebSphere Application Server CVE-2026-9319: Brief Summary of Critical RCE via JAX-WS Deserialization

A brief summary of CVE-2026-9319, a critical CVSS 9.0 remote code execution vulnerability in IBM WebSphere Application Server caused by insecure deserialization of untrusted data via JAX-WS endpoints configured with WS-Security. Affected versions span both the 8.5 and 9.0 release streams, and no workarounds are available.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

IBM WebSphere Application Server CVE-2026-9319: Brief Summary of Critical RCE via JAX-WS Deserialization
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Enterprise organizations running IBM WebSphere Application Server with JAX-WS web services and WS-Security now face a critical remote code execution vulnerability that carries a CVSS 9.0 score and, notably, has no available workarounds. CVE-2026-9319 exploits insecure deserialization in the WS-Security processing pipeline, a code path that has been a recurring source of security flaws in WebSphere, and the scope change designation in its CVSS vector means successful exploitation can reach beyond the compromised component into adjacent systems.

Technical Information

Root Cause: CWE-502 Deserialization of Untrusted Data

CVE-2026-9319 is rooted in CWE-502, Deserialization of Untrusted Data. The vulnerability exists in how IBM WebSphere Application Server processes incoming data at JAX-WS (Java API for XML Web Services) endpoints that are configured with WS-Security. When the WebSphere runtime processes WS-Security elements in SOAP messages, it deserializes data without adequate type validation or restriction, allowing an attacker to inject malicious serialized Java objects.

CVSS 3.1 Vector Breakdown

The CVSS 3.1 vector string, as published in the IBM Security Bulletin, is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 9.0 (Critical).

MetricValueMeaning
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)HighRequires conditions beyond attacker control
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo user action required
Scope (S)ChangedImpacts components beyond the vulnerable scope
Confidentiality (C)HighTotal information disclosure possible
Integrity (I)HighTotal system integrity compromise possible
Availability (A)HighTotal system availability loss possible

The scope change (S:C) is the most operationally significant element here. It means that exploitation of the WebSphere JAX-WS endpoint can affect resources governed by a different security authority than the vulnerable component itself, effectively expanding the blast radius of a successful attack.

The high attack complexity (AC:H) suggests that exploitation is not trivial. Specific conditions must be met, likely including the target endpoint having WS-Security configured in a particular manner and the attacker needing knowledge of available gadget chains in the specific server configuration.

Attack Flow

The exploitation follows the well established Java deserialization attack pattern:

  1. Reconnaissance: The attacker identifies exposed JAX-WS endpoints with WS-Security enabled on a target WebSphere server. These endpoints are commonly found in enterprise SOA deployments.

  2. Payload Construction: The attacker constructs a specially crafted SOAP message containing a malicious serialized Java object within the WS-Security header or message body.

  3. Deserialization Trigger: When the WebSphere runtime processes the WS-Security elements of the incoming SOAP message, it deserializes the untrusted data without adequate type validation or restriction.

  4. Code Execution: The deserialized object triggers a gadget chain, leveraging existing classes in the WebSphere classpath to execute arbitrary code on the server with the privileges of the WebSphere process.

This pattern is consistent with how prior WebSphere deserialization vulnerabilities have been exploited. For CVE-2025-36038, the documented attack methodology involved identifying exposed WebSphere Application Server endpoints that accept serialized Java objects and sending malicious serialized payloads containing gadget chains that leverage existing classes in the server's classpath to achieve arbitrary code execution.

Prior JAX-WS WS-Security Vulnerability

The JAX-WS WS-Security processing pipeline has been a documented attack surface before. APAR PM86026 addressed a WS-Security XML digital signature vulnerability affecting IBM WebSphere users of WS-Security enabled JAX-WS applications. That earlier flaw allowed a network attacker to spoof message signatures by sending a specially crafted SOAP message. CVE-2026-9319 targets the same general code path but exploits deserialization rather than signature validation, representing a different class of attack against the same subsystem.

NVD Assessment Status

As of publication, the NVD has not yet provided its own CVSS assessment. The CVSS 4.0 score is listed as "NVD N/A" and no CPE configuration data has been published. The severity rating may be revised once NIST completes its independent analysis.

Affected Systems and Versions

The following IBM WebSphere Application Server versions are affected:

ProductVulnerable Version RangePlatforms
WebSphere Application Server V9.09.0.0.0 through 9.0.5.28AIX, IBM i, Linux, Windows, z/OS
WebSphere Application Server V8.58.5.0.0 through 8.5.5.29AIX, IBM i, Linux, Windows, z/OS

The vulnerable configuration requires JAX-WS endpoints with WS-Security enabled, a common configuration in enterprise SOA deployments.

Full fix packs (9.0.5.29 for V9.0 and 8.5.5.30 for V8.5) are targeted for Q3 2026. In the interim, the only supported remediation is applying the Interim Fix for APAR PH71454. IBM explicitly states that no workarounds or mitigations are available.

Vendor Security History

IBM WebSphere Application Server has experienced a recurring pattern of deserialization vulnerabilities affecting the same version streams:

CVE IDCVSS ScoreYearWeakness
CVE-2026-93199.02026CWE-502 (JAX-WS WS-Security deserialization)
CVE-2025-360389.82025CWE-502 (Insecure deserialization)
CVE-2023-234779.82023CWE-502 (Deserialization of untrusted data)
CVE-2020-4589Not specified2020CWE-502 (Deserialization of untrusted data)

All four CVEs affect WebSphere 8.5 and 9.0 (CVE-2020-4589 also affected 7.0). This pattern across multiple years and code paths indicates a systemic challenge in how WebSphere handles deserialization. Organizations running these versions should consider broader strategic defenses, including evaluating migration to WebSphere Liberty (which may not share the same vulnerable code paths for traditional JAX-WS) and implementing runtime deserialization filtering at the JVM level where feasible.

It is worth noting that prior WebSphere deserialization CVEs with similar initial descriptions were subsequently assigned CVSS 9.8 scores with low attack complexity once fully analyzed. The current AC:H rating for CVE-2026-9319 may be revised.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization