Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable OQL sink exploitable by a low-privilege authenticated user with no interaction; constructor execution yields total impact, and cross-node/JEP-290 bypass justifies scope change (S:C).
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries
AnalysisAI
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: inventory all IBM WebSphere eXtreme Scale 8.6.1.x installations and isolate affected grids from untrusted networks if immediate patching is not feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Websphere Extreme Scale
View allRemote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subc
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub
Denial of service in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 allows adjacent unauthenticated attackers to cr
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40387
GHSA-w6x5-7fjj-v49p