Skip to main content

WebSphere eXtreme Scale CVE-2026-13773

| EUVDEUVD-2026-40386 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-30 ibm GHSA-hgv4-prq7-c9mx
Critical
Disputed · 10.0 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (ibm) PRIMARY
MEDIUM
qualitative
NVD
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Network-reachable and unauthenticated, but AC:H because exploitation requires a pre-existing unfiltered deserialization sink and chaining the separate WAS-26 ORB flaw; scope changes as SSRF pivots beyond the vulnerable component.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 02, 2026 - 18:45 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:37 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 18:37 NVD
MEDIUM CRITICAL
CVSS changed
Jul 02, 2026 - 18:37 NVD
6.0 (MEDIUM) 10.0 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 19:55 vuln.today

DescriptionNVD

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

AnalysisAI

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed WAS deserialization endpoint
Delivery
Deliver serialized object with malicious IOR string
Exploit
Stub calls ORB.string_to_object() during deserialization
Execution
JVM opens outbound IIOP SSRF to attacker host
Persist
Chain IBM ORB getUserException instantiation (WAS-26)
Impact
Execute arbitrary code on WXS/WAS JVM

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WebSphere Application Server process expose a reachable, unfiltered ObjectInputStream deserialization sink into which the attacker can inject serialized data - this is the exact precondition named in the description ('any unfiltered ObjectInputStream sink in WAS'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are partially conflicting and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can deliver serialized data to an exposed WebSphere Application Server endpoint that deserializes objects (an unfiltered ObjectInputStream) sends a crafted payload embedding a malicious IOR string. Deserialization triggers one of the ~50 ogclient.jar CORBA stubs to call ORB.string_to_object(), forcing the JVM to open an outbound IIOP connection to the attacker's host (SSRF); combined with the WAS-26 ORB class-instantiation flaw, the returned data drives code execution on the WXS/WAS JVM. …
Remediation Apply the vendor fix referenced in IBM's advisory at https://www.ibm.com/support/pages/node/7278594; a patch is available per vendor advisory, though no discrete fix version string is provided in the input, so confirm the exact iFix/APAR level against that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running IBM WebSphere eXtreme Scale versions 8.6.1.0-8.6.1.6 and restrict network access if immediate patching is not feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2013-2460 CRITICAL POC
9.3 Jun 18

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar

CVE-2024-0195 MEDIUM POC
6.3 Jan 02

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi

CVE-2026-20131 CRITICAL POC
10.0 Mar 04

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV

CVE-2026-34197 HIGH POC
8.8 Apr 07

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t

CVE-2010-5326 CRITICAL POC
10.0 May 13

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all

CVE-2021-44832 MEDIUM
6.6 Dec 28

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r

Share

CVE-2026-13773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy