How is CVE-2026-9311 exploited?

Network reachability (required): The attacker must reach the WebSphere Application Server service over the network; the service must be exposed to the attacker's network segment. Authentication (not-required): No account or credentials are needed; the attacker can target the service as an unauthenticated external party. Victim interaction (not-required): No user action or interaction from anyone on the target system is required for the attack to succeed. Attack complexity (info): Attack complexity is rated High, meaning the attacker must account for race conditions, specific memory layout, or other environmental factors that cannot be reliably controlled on every attempt.

What is the impact of CVE-2026-9311?

Reads any data accessible to the WebSphere process, including session tokens, application credentials, and business records stored or cached by the server. Modifies or deletes application data, configuration files, and persisted state managed by the affected WebSphere instance. Crashes or degrades the WebSphere Application Server process, causing a full service outage for applications hosted on it. Because the scope is changed (S:C), the attacker can pivot beyond the WebSphere process boundary and affect other components or services sharing the same host or infrastructure.

Back to search

CRITICALCVE-2026-9311Published 2026-06-01Modified 2026-06-02CNA ibm

CVE-2026-9311: IBM WebSphere Application Server is affected by remote code execution

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.

CVSS v3.1: 9.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A remote code execution vulnerability affects IBM WebSphere Application Server versions 9.0 and 8.5, caused by a bypass of security controls. The flaw is reachable over the network without any authentication, though exploitation requires overcoming environmental conditions that raise attack complexity. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected server, including the ability to execute arbitrary code. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment IBM publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-9311 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built WebSphere Application Server images in customer registries and CI pipelines. Any image running an affected version of WebSphere Application Server 9.0 or 8.5 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.0 Critical and surfaces it with per-environment compliance policy weighting applied, so teams operating under stricter SLAs see it prioritized accordingly. Triage routing is available to direct alerts to the right inbox or ticketing queue within each customer organization based on their configured policy.

Available

Patch

No fix version has been published by IBM for this vulnerability. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WebSphere Application Server service over the network; the service must be exposed to the attacker's network segment.
AuthenticationNot required
No account or credentials are needed; the attacker can target the service as an unauthenticated external party.
Victim interactionNot required
No user action or interaction from anyone on the target system is required for the attack to succeed.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must account for race conditions, specific memory layout, or other environmental factors that cannot be reliably controlled on every attempt.

Blast Radius

Reads any data accessible to the WebSphere process, including session tokens, application credentials, and business records stored or cached by the server.
Modifies or deletes application data, configuration files, and persisted state managed by the affected WebSphere instance.
Crashes or degrades the WebSphere Application Server process, causing a full service outage for applications hosted on it.
Because the scope is changed (S:C), the attacker can pivot beyond the WebSphere process boundary and affect other components or services sharing the same host or infrastructure.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of CVE-2026-9311 is active, with re-evaluation on every advisory ingest cycle so that a patched-image rebuild is queued the moment IBM publishes a fix. While no upstream patch exists, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict inbound access to WebSphere ports, egress filtering to limit lateral movement if the service is compromised, and feature-flag gating to disable non-essential remote interfaces on the affected server. For customers who opt into auto-remediation, the full rebuild-and-PR flow (rebuilt image, regression-test run, and pull request opened against affected workloads) will execute automatically once a fix version is available, with median time from CVE patch publication to merged PR running around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

IBM / WebSphere Application Server
≤ 1.1.9.12 · 8.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

ibm.com

Metrics

Get notified