How is CVE-2026-9319 exploited?

Network reachability (required): The vulnerable JAX-WS endpoint must be reachable over the network, exposing the attack surface to any host that can send HTTP or SOAP traffic to the server. Authentication (not-required): No credentials or session token are needed; an unauthenticated attacker can send a crafted payload directly to the endpoint. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user or administrator of the affected system. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for specific environmental conditions such as timing, memory layout, or particular server configuration before the deserialization payload executes reliably.

What is the impact of CVE-2026-9319?

A successful attacker executes arbitrary code in the context of the WebSphere Application Server process, gaining full control of the host. Confidential data accessible to the server process, including credentials, session tokens, and business records, can be read and exfiltrated. Persistent application data and configuration files stored on the host can be modified or deleted. The WebSphere Application Server process and any dependent services can be terminated, causing a full service outage.

Back to search

CRITICALCVE-2026-9319Published 2026-06-01Modified 2026-06-02CNA ibm

CVE-2026-9319: IBM WebSphere Application Server is affected by a remote code execution vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.

CVSS v3.1: 9.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A remote code execution vulnerability affects IBM WebSphere Application Server versions 9.0 and 8.5, triggered through deserialization of untrusted data sent to JAX-WS endpoints that use WS-Security. The vulnerability is reachable over the network without any authentication, though exploitation requires overcoming high-complexity conditions. Successful exploitation gives an attacker full control over the host, including the ability to read, modify, or destroy data and crash the service. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection for CVE-2026-9319 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, covering both third-party and custom-built images that include affected WebSphere Application Server versions. Any container image carrying an affected version of IBM WebSphere Application Server 9.0 or 8.5 is flagged automatically in customer registries and CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.0 (Critical) and weighting that score against each environment's compliance policy to determine escalation priority. Triage findings can be routed to the appropriate team inbox within each customer organization based on per-environment policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the IBM advisory on every ingest cycle and will make a patched-image rebuild available the moment IBM ships a corrected release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable JAX-WS endpoint must be reachable over the network, exposing the attack surface to any host that can send HTTP or SOAP traffic to the server.
AuthenticationNot required
No credentials or session token are needed; an unauthenticated attacker can send a crafted payload directly to the endpoint.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or administrator of the affected system.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for specific environmental conditions such as timing, memory layout, or particular server configuration before the deserialization payload executes reliably.

Blast Radius

A successful attacker executes arbitrary code in the context of the WebSphere Application Server process, gaining full control of the host.
Confidential data accessible to the server process, including credentials, session tokens, and business records, can be read and exfiltrated.
Persistent application data and configuration files stored on the host can be modified or deleted.
The WebSphere Application Server process and any dependent services can be terminated, causing a full service outage.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9319 is active in the vulnerability matching pipeline and will flag any customer image carrying an affected version of IBM WebSphere Application Server 9.0 or 8.5. Because IBM has not yet published a fix version, no patched-image rebuild is currently available. HarborGuard monitors the IBM advisory on every ingest cycle and will surface a patched rebuild as soon as an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, regression-test run, and PR against affected workloads automatically at that point. In the interim, compensating controls worth evaluating include network-policy isolation to restrict access to JAX-WS endpoints to trusted source addresses only, egress filtering to limit lateral movement if the process is compromised, and disabling WS-Security deserialization paths on any endpoint that does not strictly require them.

See how HarborGuard automates this

Affected packages

IBM / WebSphere Application Server
≤ 1.1.9.12 · 8.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

ibm.com

Metrics

Get notified