CVE-2026-13772
Received Received - Intake

IBM WebSphere Extreme Scale OQL Constructor Injection

Vulnerability report for CVE-2026-13772, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_extreme_scale From 8.6.1.0 (inc) to 8.6.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

IBM WebSphere eXtreme Scale's Object Query Language (OQL) engine is vulnerable to remote code execution due to unsafe handling of class names via Class.forName().

An authenticated remote attacker can exploit this vulnerability by influencing OQL query strings to execute arbitrary constructors on the WebSphere Application Server (WAS) JVM.

The vulnerability affects versions 8.6.1.0 through 8.6.1.6 and arises from three attack vectors: SELECT NEW statements, enum literals, and reflection-based comparators.

Additionally, a SELECT DISTINCT variant can trigger the same issue after deserialization, bypassing JEP-290 serialization filters across grid nodes.

Impact Analysis

This vulnerability allows an authenticated remote attacker to execute arbitrary constructors on the WAS JVM, which can lead to remote code execution.

Such execution can compromise the confidentiality, integrity, and availability of the affected system.

If WebSphere eXtreme Scale is used solely as a Session Cache (Session Grid), the risk is mitigated since OQL queries are not executed.

However, in Simple Grid deployments where OQL is used, the system is at high risk of exploitation.

Detection Guidance

Detection of this vulnerability involves assessing whether your IBM WebSphere eXtreme Scale deployment uses OQL queries that can be influenced by authenticated remote attackers. Since the vulnerability arises from unsafe handling of class names in OQL queries, monitoring for unusual or unauthorized OQL query strings, especially those containing SELECT NEW statements, enum literals, or reflection-based comparators, is critical.

IBM does not provide specific detection commands or tools in the provided resources. However, general detection steps include reviewing application logs for suspicious OQL query patterns and verifying if versions 8.6.1.0 through 8.6.1.6 are in use.

No explicit commands are suggested in the provided information.

Mitigation Strategies

Immediate mitigation steps recommended by IBM include:

  • Avoid concatenating direct user input into OQL queries.
  • Restrict class names used in OQL queries to an allow list.
  • Prevent users from modifying OQL syntax.
  • Validate all inputs that influence OQL queries.

Additionally, if WebSphere eXtreme Scale is used only as a Session Cache (Session Grid), the risk is mitigated since OQL queries are not executed in that scenario.

No official workarounds are provided, so customers should assess their environments carefully and apply these mitigations promptly.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart