Skip to main content

WebSphere eXtreme Scale CVE-2026-13759

| EUVDEUVD-2026-40388 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-30 ibm GHSA-xw6m-6cgm-v7qm
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable deserialization needs a low-priv authenticated session-attribute write (PR:L) with no user interaction, yielding full RCE (C:H/I:H/A:H); the LAN-wire path could justify PR:N but PR:L is the conservative default.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 02, 2026 - 19:02 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 19:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Jul 02, 2026 - 18:52 NVD
7.5 (HIGH) 8.8 (HIGH)
Analysis Generated
Jun 30, 2026 - 19:54 vuln.today

DescriptionNVD

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

AnalysisAI

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv login or LAN grid access
Delivery
Craft serialized Coherence gadget payload
Exploit
Write payload as session attribute or inject on replication wire
Execution
Peer JVM deserializes without JEP-290 filter
Persist
Gadget chain triggers method invocation
Impact
Execute arbitrary code on peer WAS JVMs

Vulnerability AssessmentAI

Exploitation Two concrete paths exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately but not uniformly alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege application login stores a crafted serialized object as a session attribute; when WebSphere eXtreme Scale replicates that session to peer WAS JVMs, one of the unfiltered ObjectInputStream subclasses deserializes it and a Coherence gadget chain executes attacker code on those peers. Alternatively, an attacker positioned on the LAN who can reach the grid replication wire injects a malicious serialized payload directly. …
Remediation Apply the IBM-provided fix referenced in the vendor advisory at https://www.ibm.com/support/pages/node/7278595 (Patch available per vendor advisory; an exact fix-pack version is not stated in the supplied data, so confirm the target level directly with IBM). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems running IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6, particularly those with Oracle Coherence in the classpath. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy