ZeroPath at Black Hat USA 2026

IBM WebSphere Application Server CVE-2026-9330: SAML SSO Deserialization Leading to Remote Code Execution

A brief summary of CVE-2026-9330, a high severity deserialization vulnerability in IBM WebSphere Application Server's SAML Web SSO component that enables remote code execution via crafted HTTP requests when combined with a suitable gadget chain.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

IBM WebSphere Application Server CVE-2026-9330: SAML SSO Deserialization Leading to Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A deserialization flaw in IBM WebSphere Application Server's SAML Web Single Sign-On component allows a low-privilege authenticated attacker to achieve remote code execution by injecting a crafted serialized Java object into a client-side cookie that the server blindly trusts. With 456 tracked CVEs against WebSphere and existing public exploit tooling for prior deserialization vulnerabilities in the same product, this CVSS 8.5 vulnerability (CVE-2026-9330) lands in a well-worn attack surface where exploit development is not a matter of "if" but "when."

Technical Information

Root Cause: CWE-502 Deserialization of Untrusted Data

CVE-2026-9330 is classified under CWE-502: Deserialization of Untrusted Data, a weakness that appears on the CWE Top 25 Most Dangerous Software Weaknesses list. The vulnerability exists in IBM WebSphere Application Server traditional versions 9.0.0.0 through 9.0.5.28 and 8.5.0.0 through 8.5.5.29. The flaw arises from improper validation of user-supplied data during deserialization operations within the SAML Web Single Sign-On component. According to the NVD description, this "could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain."

Research into the closely related CVE-2026-1561 (affecting WebSphere Liberty) by Oligo Security reveals the technical mechanism that likely applies to CVE-2026-9330 in the traditional WAS product. The SAML Web SSO mechanism serializes a Java InitialRequest object and stores it client-side in a browser cookie named WASInitialRequest_<relayState>. When the server processes the SAML authentication flow, it reads and deserializes this cookie using ObjectInputStream.readObject().

The InitialRequestUtil class within the com.ibm.ws.security.saml.websso.2.0_1.0.108.jar file contains the vulnerable digestInitialRequestCookieValue() method. A critical implementation flaw involves a String.concat() misuse: the code calls concat() to append a server-side secret to the data being hashed but ignores the return value, leaving the original string unchanged. Since String objects in Java are immutable, concat() returns a new string rather than modifying the original. By discarding this return value, the "server-only secret" intended to prevent cookie forgery never actually participates in the digest computation. This renders the integrity check completely ineffective.

CVSS Vector Breakdown

The CVSS v3.1 vector for CVE-2026-9330 is AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (score 8.5):

CVSS ComponentValueInterpretation
Attack VectorNetwork (AV:N)Exploitable remotely over the network
Attack ComplexityHigh (AC:H)Requires specialized conditions or gadget chain knowledge
Privileges RequiredLow (PR:L)Attacker needs basic authenticated access
User InteractionNone (UI:N)No user interaction needed
ScopeChanged (S:C)Impact extends beyond the vulnerable component
ConfidentialityHigh (C:H)Total information disclosure
IntegrityHigh (I:H)Total system integrity compromise
AvailabilityHigh (A:H)Total availability loss

The "Changed" scope is particularly significant here. Because the vulnerability targets the SAML SSO component, a successful exploit can cascade beyond the WebSphere server itself into the broader federated identity ecosystem.

Attack Flow

The exploitation path proceeds as follows:

  1. Reconnaissance: The attacker identifies a WebSphere Application Server instance with SAML Web SSO enabled, reachable over the network.

  2. Authentication: The attacker obtains low-privilege authenticated access to the application (PR:L). This could be any valid user account.

  3. Cookie Forgery: The attacker crafts a malicious WASInitialRequest_<relayState> cookie containing a serialized Java object. Because the integrity check on the cookie is bypassed (the String.concat() flaw means the server secret is never included in the digest), the attacker can compute valid digests for arbitrary cookie values.

  4. Gadget Chain Injection: The serialized object within the cookie is constructed as a gadget chain: a sequence of classes already present on the WebSphere classpath whose deserialization callbacks (readObject, readResolve, etc.) chain together to achieve arbitrary code execution.

  5. Deserialization and Execution: The attacker sends the crafted HTTP request to the SAML SSO endpoint. The server deserializes the cookie via ObjectInputStream.readObject(), triggering the gadget chain and executing arbitrary code on the server.

The attack complexity is rated High (AC:H) specifically because the attacker must identify and construct a working gadget chain from the classes available on the target server. However, this barrier is substantially lowered by the existence of public tooling and research.

Existing Exploit Tooling for WebSphere Deserialization

Public exploit code for similar WebSphere deserialization vulnerabilities already exists and significantly reduces the barrier for developing an exploit targeting CVE-2026-9330:

  • Rapid7 hosts a Metasploit module (exploit/windows/misc/ibm_websphere_java_deserialize) that exploits unsafe deserialization of unauthenticated Java objects in WebSphere.
  • A second Metasploit module (exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce) targets the Deployment Manager component.
  • A detailed technical writeup titled "Shells and Soap: Websphere Deserialization to RCE" demonstrates step-by-step exploitation of WebSphere deserialization, including SOAP-based deserialization paths and gadget chain construction.

Dual Vulnerability Bulletin

IBM published CVE-2026-9330 alongside CVE-2026-9311 (CVSS 9.0, CWE-94 code injection) in the same security bulletin. Both affect WebSphere traditional V9.0 and V8.5, creating two distinct RCE pathways in the same server versions. The same interim fix (APAR PH71453) resolves both vulnerabilities.

Affected Systems and Versions

The following IBM WebSphere Application Server traditional versions are affected:

ProductAffected Version RangeFixed InterimPermanent Fix PackTarget Availability
WebSphere Application Server V9.09.0.0.0 through 9.0.5.28APAR PH714539.0.5.29 or later3Q2026
WebSphere Application Server V8.58.5.0.0 through 8.5.5.29APAR PH714538.5.5.30 or later3Q2026

The vulnerability specifically requires the SAML Web Single Sign-On feature to be enabled. Deployments without SAML SSO configured are not exposed to this particular attack vector.

IBM explicitly states that no workarounds or mitigations are available. The only remediation is applying the interim fix (APAR PH71453) or the permanent fix packs when they become available in 3Q2026. Organizations that cannot apply the interim fix immediately should consider disabling the SAML Web SSO feature where operationally feasible, restricting network access to WebSphere servers, and tightly controlling low-privilege account access.

Vendor Security History

IBM WebSphere Application Server has accumulated a substantial CVE history, with OpenCVE tracking 456 CVEs for the product. The recurrence of deserialization vulnerabilities is a notable pattern:

CVE IDYearTypeSeverityDescription
CVE-2020-45892020CWE-502 DeserializationHighInsecure deserialization in WAS 7.0, 8.0, 8.5, 9.0 allowing RCE via crafted serialized objects
CVE-2024-351542024RCEHighRCE in administrative console requiring authenticated attacker with console access
CVE-2025-360382025Arbitrary Code ExecutionHighArbitrary code execution in WAS 8.5 and 9.0
CVE-2026-15612026CWE-502 DeserializationHighPre-authentication unsafe deserialization in SAML Web SSO in WebSphere Liberty
CVE-2026-93112026CWE-94 Code Injection9.0Code injection in WAS Traditional (same bulletin as CVE-2026-9330)

The broader 2026 WebSphere vulnerability landscape also includes CVE-2026-3621 (identity spoofing in Liberty), CVE-2026-8633 (RCE in Web Server Plug-ins), and CVE-2026-8620 (HTTP request smuggling in Web Server Plug-ins). The Oligo Security research that discovered CVE-2026-1561 identified seven distinct flaws in WebSphere Liberty, creating multiple pathways for privilege escalation and remote code execution.

The recurrence of deserialization vulnerabilities (CVE-2020-4589, CVE-2026-1561, CVE-2026-9330) across multiple years in the same product line, each involving the same fundamental weakness of deserializing attacker-controlled data without adequate validation, suggests the root cause is architectural rather than a one-off coding error. The String.concat() flaw that undermines the cookie integrity check in the SAML SSO flow is a particularly illustrative example: a subtle implementation mistake that completely negates a security control.

In June 2020, the New York State Office of Information Technology Services issued advisory 2020-081 specifically warning about WebSphere deserialization risks, demonstrating that this vulnerability class has historically attracted government-level attention.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization