HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9330Published Modified CNA ibm

CVE-2026-9330: IBM WebSphere Application Server is affected by remote code execution

IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain.

Metrics

CVSS v3.1
8.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A deserialization vulnerability in IBM WebSphere Application Server's SAML Web Single Sign-On component allows a network-accessible attacker with low-privilege credentials to execute arbitrary code on the server. The flaw stems from improper validation of user-supplied data during deserialization; an attacker sends a crafted HTTP request paired with a suitable gadget chain to trigger the exploit. Successful exploitation grants full remote code execution with high impact on confidentiality, integrity, and availability across the affected system and potentially adjacent systems in scope. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment IBM ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-9330 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that bundle WebSphere Application Server 8.5 or 9.0 components. Coverage extends to images in both connected registries and active CI/CD pipelines.

Available
Triage

HarborGuard is capable of surfacing this CVE with its CVSS v3.1 score of 8.5 (HIGH) and applying per-environment compliance policy weighting to determine priority and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory each ingest cycle and will make a patched-image rebuild available automatically the moment IBM publishes a remediated release. In the interim, customers with auto-remediation enabled are notified and can apply compensating controls through HarborGuard's policy engine while monitoring continues.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the WebSphere Application Server over the network, as the SAML SSO endpoint is exposed via HTTP.

  • AuthenticationRequired

    The attacker must hold at least a low-privilege account, since the CVSS vector specifies PR:L; any valid low-privilege credential is sufficient.

  • Victim interactionNot required

    No victim interaction is needed; the attacker triggers the vulnerability directly through a crafted HTTP request without requiring any user action.

  • Attack complexityDetail

    Attack complexity is high, meaning the attacker must assemble a working gadget chain and may depend on specific environmental conditions or classpath contents to achieve code execution reliably.

Blast Radius

  • A successful attacker executes arbitrary code in the context of the WebSphere server process, gaining full control over the application runtime.
  • Because the CVSS scope is Changed, the attacker can pivot beyond the vulnerable component and access resources in other system scopes or containers sharing the environment.
  • All data processed or stored by the application server, including session tokens, credentials, and customer records, is readable by the attacker (Confidentiality: High).
  • The attacker can modify application data, alter persisted records, or overwrite configuration, and can crash or render the service completely unavailable (Integrity and Availability: High).

How HarborGuard Handles This

Available on HarborGuard: because IBM has not yet published a fix for CVE-2026-9330, HarborGuard continuously re-checks the upstream advisory each ingest cycle and will trigger a patched-image rebuild automatically as soon as a remediated version is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. In the meantime, HarborGuard's policy engine can be used to apply compensating controls: consider configuring network-policy rules to restrict inbound access to the SAML SSO endpoint to trusted identity-provider IP ranges only, enabling egress filtering to limit lateral movement if exploitation occurs, and flagging images containing affected WebSphere versions for elevated review in compliance dashboards. This CVE is rated HIGH (CVSS 8.5) with a Changed scope, so organizations running affected images in multi-tenant or shared-network environments should treat it as a priority item until an upstream patch is available.

See how HarborGuard automates this
Affected packages
  • IBM / WebSphere Application Server
    ≤ 1.1.9.12 · 8.5
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
References