Introduction
Enterprise organizations running IBM WebSphere Application Server with JAX-WS web services and WS-Security now face a critical remote code execution vulnerability that carries a CVSS 9.0 score and, notably, has no available workarounds. CVE-2026-9319 exploits insecure deserialization in the WS-Security processing pipeline, a code path that has been a recurring source of security flaws in WebSphere, and the scope change designation in its CVSS vector means successful exploitation can reach beyond the compromised component into adjacent systems.
Technical Information
Root Cause: CWE-502 Deserialization of Untrusted Data
CVE-2026-9319 is rooted in CWE-502, Deserialization of Untrusted Data. The vulnerability exists in how IBM WebSphere Application Server processes incoming data at JAX-WS (Java API for XML Web Services) endpoints that are configured with WS-Security. When the WebSphere runtime processes WS-Security elements in SOAP messages, it deserializes data without adequate type validation or restriction, allowing an attacker to inject malicious serialized Java objects.
CVSS 3.1 Vector Breakdown
The CVSS 3.1 vector string, as published in the IBM Security Bulletin, is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 9.0 (Critical).
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | High | Requires conditions beyond attacker control |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No user action required |
| Scope (S) | Changed | Impacts components beyond the vulnerable scope |
| Confidentiality (C) | High | Total information disclosure possible |
| Integrity (I) | High | Total system integrity compromise possible |
| Availability (A) | High | Total system availability loss possible |
The scope change (S:C) is the most operationally significant element here. It means that exploitation of the WebSphere JAX-WS endpoint can affect resources governed by a different security authority than the vulnerable component itself, effectively expanding the blast radius of a successful attack.
The high attack complexity (AC:H) suggests that exploitation is not trivial. Specific conditions must be met, likely including the target endpoint having WS-Security configured in a particular manner and the attacker needing knowledge of available gadget chains in the specific server configuration.
Attack Flow
The exploitation follows the well established Java deserialization attack pattern:
-
Reconnaissance: The attacker identifies exposed JAX-WS endpoints with WS-Security enabled on a target WebSphere server. These endpoints are commonly found in enterprise SOA deployments.
-
Payload Construction: The attacker constructs a specially crafted SOAP message containing a malicious serialized Java object within the WS-Security header or message body.
-
Deserialization Trigger: When the WebSphere runtime processes the WS-Security elements of the incoming SOAP message, it deserializes the untrusted data without adequate type validation or restriction.
-
Code Execution: The deserialized object triggers a gadget chain, leveraging existing classes in the WebSphere classpath to execute arbitrary code on the server with the privileges of the WebSphere process.
This pattern is consistent with how prior WebSphere deserialization vulnerabilities have been exploited. For CVE-2025-36038, the documented attack methodology involved identifying exposed WebSphere Application Server endpoints that accept serialized Java objects and sending malicious serialized payloads containing gadget chains that leverage existing classes in the server's classpath to achieve arbitrary code execution.
Prior JAX-WS WS-Security Vulnerability
The JAX-WS WS-Security processing pipeline has been a documented attack surface before. APAR PM86026 addressed a WS-Security XML digital signature vulnerability affecting IBM WebSphere users of WS-Security enabled JAX-WS applications. That earlier flaw allowed a network attacker to spoof message signatures by sending a specially crafted SOAP message. CVE-2026-9319 targets the same general code path but exploits deserialization rather than signature validation, representing a different class of attack against the same subsystem.
NVD Assessment Status
As of publication, the NVD has not yet provided its own CVSS assessment. The CVSS 4.0 score is listed as "NVD N/A" and no CPE configuration data has been published. The severity rating may be revised once NIST completes its independent analysis.
Affected Systems and Versions
The following IBM WebSphere Application Server versions are affected:
| Product | Vulnerable Version Range | Platforms |
|---|---|---|
| WebSphere Application Server V9.0 | 9.0.0.0 through 9.0.5.28 | AIX, IBM i, Linux, Windows, z/OS |
| WebSphere Application Server V8.5 | 8.5.0.0 through 8.5.5.29 | AIX, IBM i, Linux, Windows, z/OS |
The vulnerable configuration requires JAX-WS endpoints with WS-Security enabled, a common configuration in enterprise SOA deployments.
Full fix packs (9.0.5.29 for V9.0 and 8.5.5.30 for V8.5) are targeted for Q3 2026. In the interim, the only supported remediation is applying the Interim Fix for APAR PH71454. IBM explicitly states that no workarounds or mitigations are available.
Vendor Security History
IBM WebSphere Application Server has experienced a recurring pattern of deserialization vulnerabilities affecting the same version streams:
| CVE ID | CVSS Score | Year | Weakness |
|---|---|---|---|
| CVE-2026-9319 | 9.0 | 2026 | CWE-502 (JAX-WS WS-Security deserialization) |
| CVE-2025-36038 | 9.8 | 2025 | CWE-502 (Insecure deserialization) |
| CVE-2023-23477 | 9.8 | 2023 | CWE-502 (Deserialization of untrusted data) |
| CVE-2020-4589 | Not specified | 2020 | CWE-502 (Deserialization of untrusted data) |
All four CVEs affect WebSphere 8.5 and 9.0 (CVE-2020-4589 also affected 7.0). This pattern across multiple years and code paths indicates a systemic challenge in how WebSphere handles deserialization. Organizations running these versions should consider broader strategic defenses, including evaluating migration to WebSphere Liberty (which may not share the same vulnerable code paths for traditional JAX-WS) and implementing runtime deserialization filtering at the JVM level where feasible.
It is worth noting that prior WebSphere deserialization CVEs with similar initial descriptions were subsequently assigned CVSS 9.8 scores with low attack complexity once fully analyzed. The current AC:H rating for CVE-2026-9319 may be revised.
References
- NVD: CVE-2026-9319
- IBM Security Bulletin: IBM WebSphere Application Server is affected by a remote code execution vulnerability (CVE-2026-9319)
- CWE-502: Deserialization of Untrusted Data
- CVE-2025-36038: IBM WebSphere Application Server Insecure Deserialization
- CVE-2023-23477: IBM WebSphere Application Server Deserialization
- CVE-2020-4589: IBM WebSphere Application Server RCE Flaw
- Rapid7 Metasploit Module: IBM WebSphere RCE Java Deserialization
- IBM APAR PM86026: JAX-WS WS-Security Digital Signature Vulnerability
- NSFOCUS: WebSphere Application Server Remote Code Execution Vulnerability (CVE-2025-36038)
- NY State ITS: Vulnerability in IBM WebSphere Application Server
- Acunetix: IBM WebSphere RCE Java Deserialization Vulnerability
- OpenCVE: Vulnerabilities for WebSphere Application Server
- IBM Fix List for WebSphere Application Server V8.5



