CVE-2026-13759
Received Received - Intake

IBM WebSphere Extreme Scale Remote Code Execution

Vulnerability report for CVE-2026-13759, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_extreme_scale From 8.6.1.0 (inc) to 8.6.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13759 is a vulnerability in IBM WebSphere eXtreme Scale versions 8.6.1.0 through 8.6.1.6 caused by insecure deserialization of untrusted data. Specifically, three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, and ObjectInputStreamResolver) do not implement the JEP-290 class filter, which is designed to restrict what classes can be deserialized.

When Oracle Coherence is present on the classpath, this flaw allows attackers to exploit multiple remote code execution (RCE) gadget chains, such as RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator. This means an attacker who has post-login access and can write a session attribute, or an attacker on the local network adjacent to the grid replication wire, can execute arbitrary code on peer WebSphere Application Server JVMs.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on affected systems. An attacker exploiting this flaw can execute arbitrary code on peer WebSphere Application Server JVMs, potentially compromising the confidentiality, integrity, and availability of the affected systems.

  • Loss of confidentiality due to unauthorized access or data exposure.
  • Loss of integrity by allowing attackers to alter data or system behavior.
  • Loss of availability by potentially disrupting services through malicious code execution.
Mitigation Strategies

IBM recommends enabling encryption to mitigate the risk associated with this vulnerability.

Additionally, enabling the JEP 290 global JVM deserialization filter (-Djdk.serialFilter) is suggested for additional security. This feature is available from JVM version 8.0.8.5 onwards.

Compliance Impact

The vulnerability allows remote code execution that impacts confidentiality, integrity, and availability of affected systems. Such impacts can lead to unauthorized access or manipulation of sensitive data, which may result in non-compliance with data protection regulations like GDPR and HIPAA.

Because the flaw involves insecure deserialization and potential arbitrary code execution on peer JVMs, organizations using the affected IBM WebSphere eXtreme Scale versions could face risks related to data breaches or system compromise, which are critical concerns under these regulations.

IBM recommends enabling encryption and the JEP 290 global JVM deserialization filter to mitigate the risk, which can help organizations maintain compliance by reducing the likelihood of exploitation.

Detection Guidance

The provided information does not include specific detection methods or commands to identify this vulnerability on your network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart