IBM WebSphere: Five RCE and Spoofing Vulnerabilities Disclosed Together
Key findings • Five vulnerabilities in IBM WebSphere Application Server and IBM i Access Family disclosed on June 1, 2026. • Three critical vulnerabilities (CVE-2026-9319, CVE-2026-9311, CVE-…
Key findings
- Five vulnerabilities in IBM WebSphere Application Server and IBM i Access Family disclosed on June 1, 2026.
- Three critical vulnerabilities (CVE-2026-9319, CVE-2026-9311, CVE-2026-8644) include RCE and identity spoofing.
- CVE-2026-9330 and CVE-2026-7770 are high-severity RCE flaws related to deserialization and IBM i Navigator.
- Affected products include WebSphere Application Server 9.0/8.5 and IBM i Access Client Solutions 1.1.5.0-1.1.9.12.
- The disclosures highlight risks from deserialization vulnerabilities and security control bypasses.
On June 1, 2026, a cluster of five significant vulnerabilities affecting IBM WebSphere Application Server and IBM i Access Family was disclosed, with three rated as critical and two as high severity. These disclosures highlight potential risks for organizations relying on these IBM products for their application infrastructure.
The vulnerabilities primarily target IBM WebSphere Application Server versions 9.0 and 8.5. Three of the disclosed issues, CVE-2026-9330, CVE-2026-9319, and CVE-2026-9311, all carry critical or high severity ratings and are related to improper data validation during deserialization processes. Specifically, CVE-2026-9330 involves improper validation of user-supplied data during deserialization via the SAML Web Single Sign-On component, potentially leading to remote code execution (RCE) when combined with a suitable gadget chain. Similarly, CVE-2026-9319 presents a risk of RCE due to deserialization of untrusted data via JAX-WS endpoints with WS-Security. CVE-2026-9311 also points to RCE stemming from a bypass of security controls.
Adding to the critical findings, CVE-2026-8644, a critical severity vulnerability, affects IBM WebSphere Application Server 9.0 and 8.5. This flaw exposes the system to identity spoofing, allowing an attacker to impersonate legitimate users or systems, which can have severe implications for data integrity and access control.
Beyond WebSphere Application Server, the batch also includes CVE-2026-7770, a high-severity vulnerability affecting IBM i Access Family, specifically versions 1.1.5.0 through 1.1.9.12 of IBM i Access Client Solutions (ACS). This vulnerability can lead to remote code execution when the product is configured to listen for requests from IBM i Navigator.
All disclosed vulnerabilities were published on the same day, indicating a coordinated disclosure event. While the descriptions do not explicitly mention in-the-wild exploitation, the severity of these flaws, particularly the RCE and identity spoofing capabilities, warrants immediate attention from administrators. The affected versions for WebSphere Application Server are clearly defined as 9.0 and 8.5, and for IBM i Access Client Solutions, versions 1.1.5.0 through 1.1.9.12 are impacted.
IBM has provided advisories for these vulnerabilities, and users are strongly encouraged to review the specific guidance for each CVE. Applying available patches and updates is crucial to mitigate the risks associated with deserialization flaws, security control bypasses, and identity spoofing. The simultaneous disclosure of these critical and high-severity issues underscores the importance of maintaining up-to-date security configurations and promptly addressing security advisories for IBM products.