What is the CVSS score of CVE-2026-9330?

CVE-2026-9330 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of IBM WebSphere Application Server are affected by CVE-2026-9330?

IBM WebSphere Application Server versions 9.0 and 8.5 contain a vulnerability in SAML authentication that allows authenticated users to execute code with elevated privileges and move laterally…. A patch is available.

How to fix or mitigate CVE-2026-9330?

Within 24 hours: Inventory all WebSphere 9.0 and 8.5 instances and assess their network exposure. Within 7 days: Apply IBM patch via support advisory node/7274733 to all affected systems, prioritizing production environments. Within 30 days: Verify patch deployment completeness, review authentication logs for exploitation attempts, and validate application functionality post-patch.

IBM WebSphere Application Server CVE-2026-9330

EUVD-2026-33740 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-01 ibm

GHSA-xrfh-q76x-p6f2

IBM RCE Deserialization

8.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 01, 2026 - 19:20 vuln.today

DescriptionCVE.org

IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain.

AnalysisAI

Remote code execution in IBM WebSphere Application Server 9.0 and 8.5 allows authenticated attackers to abuse unsafe Java deserialization in the SAML Web Single Sign-On component to run arbitrary code via a crafted HTTP request combined with a gadget chain. The flaw carries a CVSS 8.5 with scope change, and while no public exploit has been identified at time of analysis, deserialization gadget chains for WebSphere are historically well-researched. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WebSphere SAML ACS endpoint

Delivery

Obtain low-privileged session or token

Exploit

Craft serialized gadget-chain payload

Install

POST crafted HTTP request to SAML SSO handler

Trigger unsafe readObject deserialization

Execute

Execute arbitrary code as WebSphere process

Impact

Pivot across scope-changed boundary to host

Recon

Identify WebSphere SAML ACS endpoint

Delivery

Obtain low-privileged session or token

Exploit

Craft serialized gadget-chain payload

Install

POST crafted HTTP request to SAML SSO handler

Trigger unsafe readObject deserialization

Execute

Execute arbitrary code as WebSphere process

Impact

Pivot across scope-changed boundary to host

Vulnerability AssessmentAI

Exploitation	Exploitation requires the SAML Web Single Sign-On component to be enabled and reachable (a non-default but common configuration in enterprises using federated identity), a low-privileged authenticated session or token per CVSS PR:L, and a usable Java deserialization gadget chain present on the WebSphere classpath - without a viable gadget, the unsafe readObject call yields a deserialization error rather than code execution, which is why CVSS rates AC:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS vector (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects a high-complexity, network-reachable bug requiring low privileges but yielding full confidentiality, integrity, and availability impact with scope change - meaning successful exploitation can pivot beyond the vulnerable component into the underlying host or other tenants. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who holds a low-privileged authenticated context (or who can post to the SAML ACS endpoint with a valid-looking assertion wrapper) crafts an HTTP request whose body or SAML token contains a serialized Java object graph built from a gadget chain present on the WebSphere classpath. WebSphere's SAML Web SSO handler invokes readObject on the supplied bytes, the gadget chain pivots to Runtime.exec, and the attacker obtains code execution as the WebSphere process user; with S:C, the compromise can extend to other hosted applications and underlying OS resources. …
Remediation	Apply the patch referenced in IBM's support bulletin at https://www.ibm.com/support/pages/node/7274733, installing the IBM-supplied interim fix or Fix Pack for the 9.0 and 8.5 branches as appropriate to your deployed baseline (Vendor-released patch: see IBM advisory for branch-specific iFix levels). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WebSphere 9.0 and 8.5 instances and assess their network exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9330 vulnerability details – vuln.today

Back

IBM WebSphere Application Server CVE-2026-9330

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code