Introduction
A deserialization flaw in IBM WebSphere Application Server's SAML Web Single Sign-On component allows a low-privilege authenticated attacker to achieve remote code execution by injecting a crafted serialized Java object into a client-side cookie that the server blindly trusts. With 456 tracked CVEs against WebSphere and existing public exploit tooling for prior deserialization vulnerabilities in the same product, this CVSS 8.5 vulnerability (CVE-2026-9330) lands in a well-worn attack surface where exploit development is not a matter of "if" but "when."
Technical Information
Root Cause: CWE-502 Deserialization of Untrusted Data
CVE-2026-9330 is classified under CWE-502: Deserialization of Untrusted Data, a weakness that appears on the CWE Top 25 Most Dangerous Software Weaknesses list. The vulnerability exists in IBM WebSphere Application Server traditional versions 9.0.0.0 through 9.0.5.28 and 8.5.0.0 through 8.5.5.29. The flaw arises from improper validation of user-supplied data during deserialization operations within the SAML Web Single Sign-On component. According to the NVD description, this "could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain."
The SAML SSO Cookie Deserialization Mechanism
Research into the closely related CVE-2026-1561 (affecting WebSphere Liberty) by Oligo Security reveals the technical mechanism that likely applies to CVE-2026-9330 in the traditional WAS product. The SAML Web SSO mechanism serializes a Java InitialRequest object and stores it client-side in a browser cookie named WASInitialRequest_<relayState>. When the server processes the SAML authentication flow, it reads and deserializes this cookie using ObjectInputStream.readObject().
The InitialRequestUtil class within the com.ibm.ws.security.saml.websso.2.0_1.0.108.jar file contains the vulnerable digestInitialRequestCookieValue() method. A critical implementation flaw involves a String.concat() misuse: the code calls concat() to append a server-side secret to the data being hashed but ignores the return value, leaving the original string unchanged. Since String objects in Java are immutable, concat() returns a new string rather than modifying the original. By discarding this return value, the "server-only secret" intended to prevent cookie forgery never actually participates in the digest computation. This renders the integrity check completely ineffective.
CVSS Vector Breakdown
The CVSS v3.1 vector for CVE-2026-9330 is AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (score 8.5):
| CVSS Component | Value | Interpretation |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the network |
| Attack Complexity | High (AC:H) | Requires specialized conditions or gadget chain knowledge |
| Privileges Required | Low (PR:L) | Attacker needs basic authenticated access |
| User Interaction | None (UI:N) | No user interaction needed |
| Scope | Changed (S:C) | Impact extends beyond the vulnerable component |
| Confidentiality | High (C:H) | Total information disclosure |
| Integrity | High (I:H) | Total system integrity compromise |
| Availability | High (A:H) | Total availability loss |
The "Changed" scope is particularly significant here. Because the vulnerability targets the SAML SSO component, a successful exploit can cascade beyond the WebSphere server itself into the broader federated identity ecosystem.
Attack Flow
The exploitation path proceeds as follows:
-
Reconnaissance: The attacker identifies a WebSphere Application Server instance with SAML Web SSO enabled, reachable over the network.
-
Authentication: The attacker obtains low-privilege authenticated access to the application (PR:L). This could be any valid user account.
-
Cookie Forgery: The attacker crafts a malicious
WASInitialRequest_<relayState>cookie containing a serialized Java object. Because the integrity check on the cookie is bypassed (theString.concat()flaw means the server secret is never included in the digest), the attacker can compute valid digests for arbitrary cookie values. -
Gadget Chain Injection: The serialized object within the cookie is constructed as a gadget chain: a sequence of classes already present on the WebSphere classpath whose deserialization callbacks (
readObject,readResolve, etc.) chain together to achieve arbitrary code execution. -
Deserialization and Execution: The attacker sends the crafted HTTP request to the SAML SSO endpoint. The server deserializes the cookie via
ObjectInputStream.readObject(), triggering the gadget chain and executing arbitrary code on the server.
The attack complexity is rated High (AC:H) specifically because the attacker must identify and construct a working gadget chain from the classes available on the target server. However, this barrier is substantially lowered by the existence of public tooling and research.
Existing Exploit Tooling for WebSphere Deserialization
Public exploit code for similar WebSphere deserialization vulnerabilities already exists and significantly reduces the barrier for developing an exploit targeting CVE-2026-9330:
- Rapid7 hosts a Metasploit module (
exploit/windows/misc/ibm_websphere_java_deserialize) that exploits unsafe deserialization of unauthenticated Java objects in WebSphere. - A second Metasploit module (
exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce) targets the Deployment Manager component. - A detailed technical writeup titled "Shells and Soap: Websphere Deserialization to RCE" demonstrates step-by-step exploitation of WebSphere deserialization, including SOAP-based deserialization paths and gadget chain construction.
Dual Vulnerability Bulletin
IBM published CVE-2026-9330 alongside CVE-2026-9311 (CVSS 9.0, CWE-94 code injection) in the same security bulletin. Both affect WebSphere traditional V9.0 and V8.5, creating two distinct RCE pathways in the same server versions. The same interim fix (APAR PH71453) resolves both vulnerabilities.
Affected Systems and Versions
The following IBM WebSphere Application Server traditional versions are affected:
| Product | Affected Version Range | Fixed Interim | Permanent Fix Pack | Target Availability |
|---|---|---|---|---|
| WebSphere Application Server V9.0 | 9.0.0.0 through 9.0.5.28 | APAR PH71453 | 9.0.5.29 or later | 3Q2026 |
| WebSphere Application Server V8.5 | 8.5.0.0 through 8.5.5.29 | APAR PH71453 | 8.5.5.30 or later | 3Q2026 |
The vulnerability specifically requires the SAML Web Single Sign-On feature to be enabled. Deployments without SAML SSO configured are not exposed to this particular attack vector.
IBM explicitly states that no workarounds or mitigations are available. The only remediation is applying the interim fix (APAR PH71453) or the permanent fix packs when they become available in 3Q2026. Organizations that cannot apply the interim fix immediately should consider disabling the SAML Web SSO feature where operationally feasible, restricting network access to WebSphere servers, and tightly controlling low-privilege account access.
Vendor Security History
IBM WebSphere Application Server has accumulated a substantial CVE history, with OpenCVE tracking 456 CVEs for the product. The recurrence of deserialization vulnerabilities is a notable pattern:
| CVE ID | Year | Type | Severity | Description |
|---|---|---|---|---|
| CVE-2020-4589 | 2020 | CWE-502 Deserialization | High | Insecure deserialization in WAS 7.0, 8.0, 8.5, 9.0 allowing RCE via crafted serialized objects |
| CVE-2024-35154 | 2024 | RCE | High | RCE in administrative console requiring authenticated attacker with console access |
| CVE-2025-36038 | 2025 | Arbitrary Code Execution | High | Arbitrary code execution in WAS 8.5 and 9.0 |
| CVE-2026-1561 | 2026 | CWE-502 Deserialization | High | Pre-authentication unsafe deserialization in SAML Web SSO in WebSphere Liberty |
| CVE-2026-9311 | 2026 | CWE-94 Code Injection | 9.0 | Code injection in WAS Traditional (same bulletin as CVE-2026-9330) |
The broader 2026 WebSphere vulnerability landscape also includes CVE-2026-3621 (identity spoofing in Liberty), CVE-2026-8633 (RCE in Web Server Plug-ins), and CVE-2026-8620 (HTTP request smuggling in Web Server Plug-ins). The Oligo Security research that discovered CVE-2026-1561 identified seven distinct flaws in WebSphere Liberty, creating multiple pathways for privilege escalation and remote code execution.
The recurrence of deserialization vulnerabilities (CVE-2020-4589, CVE-2026-1561, CVE-2026-9330) across multiple years in the same product line, each involving the same fundamental weakness of deserializing attacker-controlled data without adequate validation, suggests the root cause is architectural rather than a one-off coding error. The String.concat() flaw that undermines the cookie integrity check in the SAML SSO flow is a particularly illustrative example: a subtle implementation mistake that completely negates a security control.
In June 2020, the New York State Office of Information Technology Services issued advisory 2020-081 specifically warning about WebSphere deserialization risks, demonstrating that this vulnerability class has historically attracted government-level attention.
References
- NVD: CVE-2026-9330
- IBM Security Bulletin: WebSphere Application Server RCE (CVE-2026-9311, CVE-2026-9330)
- IBM WebSphere Application Server and IBM HTTP Server Security Bulletin List
- CWE-502: Deserialization of Untrusted Data
- Oligo Security: New Vulnerabilities in IBM WebSphere Liberty
- Rapid7: IBM WebSphere RCE Java Deserialization Vulnerability (Metasploit)
- Rapid7: IBM WebSphere Deployment Manager Java Deserialization RCE (Metasploit)
- Shells and Soap: WebSphere Deserialization to RCE
- OpenCVE: WebSphere Application Server Vulnerabilities
- NYS ITS Advisory 2020-081: WebSphere Application Server RCE
- IBM Security Bulletin: CVE-2026-1561 (WebSphere Liberty SAML SSO)
- SentinelOne: CVE-2020-4589 WebSphere Application Server RCE
- Exploit-DB: IBM WebSphere Application Server Network Deployment



