CVE-2026-13773
Received Received - Intake

IBM WebSphere eXtreme Scale Java Deserialization RCE

Vulnerability report for CVE-2026-13773, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_extreme_scale From 8.6.1.0 (inc) to 8.6.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

IBM WebSphere eXtreme Scale versions 8.6.1.0 through 8.6.1.6 contain a vulnerability involving approximately 50 generated CORBA stub classes in the ogclient.jar file. These classes call ORB.string_to_object() on attacker-controlled IOR strings during Java deserialization. This behavior allows any unfiltered ObjectInputStream sink in WebSphere Application Server (WAS) to perform outbound IIOP server-side request forgery (SSRF) to a host chosen by the attacker.

Furthermore, when this SSRF vulnerability is combined with another flaw in the IBM ORB (identified as WAS-26), it can escalate to remote code execution on the affected Java Virtual Machine (JVM).

Impact Analysis

This vulnerability can allow an attacker to cause the WebSphere Application Server to send requests to attacker-chosen hosts via SSRF, potentially bypassing network restrictions.

More critically, if chained with another IBM ORB flaw (WAS-26), it can lead to remote code execution on the JVM running the affected application, which could allow the attacker to execute arbitrary code, compromise the server, and access sensitive data.

Mitigation Strategies

The recommended remediation is to avoid using ORB as the transport protocol and instead use IBM eXtremeIO (XIO).

Upgrading to WebSphere eXtreme Scale version 8.6.2 or higher is advised, as ORB support has been removed in these versions.

No workarounds or mitigations are currently available if ORB is used.

The vulnerability does not apply if ORB is not used as the transport protocol.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart