CVE-2026-9319

Vulnerability

IBM WebSphere Application Server versions 9.0 and 8.5 are vulnerable to remote code execution due to the deserialization of untrusted data when using JAX-WS endpoints with WS-Security enabled. This vulnerability is categorized under CWE-502: Deserialization of Untrusted Data [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted data to JAX-WS endpoints that utilize WS-Security. No authentication or user interaction is required, and the attacker only needs network access to reach the vulnerable endpoints. The attack involves deserializing untrusted data, which can lead to code execution [1].

Impact

Successful exploitation of this vulnerability allows an attacker to achieve remote code execution with a high impact on confidentiality, integrity, and availability. The scope of the compromise can be significant, as the attacker gains control over the affected server [1].

Mitigation

IBM recommends applying interim fixes or fix packs that contain the fix for APAR PH71454. For WebSphere Application Server traditional V9.0.0.0 through 9.0.5.28, upgrade to minimal fix pack levels and apply the interim fix, or apply Fix Pack 9.0.5.29 or later (targeted for 3Q2026). For V8.5.0.0 through 8.5.5.29, upgrade to minimal fix pack levels and apply the interim fix, or apply Fix Pack 8.5.5.30 or later (targeted for 3Q2026) [1]. No workarounds are available [1].