CVE-2026-9311
Remote Code Execution in IBM WebSphere Application Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | websphere_application_server | From 9.0.0.0 (inc) to 9.0.5.28 (inc) |
| ibm | websphere_application_server | From 8.5.0.0 (inc) to 8.5.5.29 (inc) |
| ibm | websphere_application_server | 9.0 |
| ibm | websphere_application_server | 8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9311 is a vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5 that allows remote code execution. This occurs because an attacker can bypass security controls, leading to improper control of code generation or code injection.
How can this vulnerability impact me? :
This vulnerability has a critical severity with a CVSS base score of 9.0, meaning it can have a severe impact. An attacker exploiting this flaw could execute arbitrary code remotely, potentially leading to full compromise of the affected system, including complete control over confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
IBM recommends applying interim fixes or upgrading to specific fix packs to address the vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5.
- For version 9.0.0.0 through 9.0.5.28, either upgrade to the required fix pack levels and apply the interim fix for APAR PH71453 or apply Fix Pack 9.0.5.29 or later.
- For version 8.5.0.0 through 8.5.5.29, upgrade to the required fix pack levels and apply the interim fix or apply Fix Pack 8.5.5.30 or later.
No workarounds or mitigations are currently available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-9311 is a critical remote code execution vulnerability in IBM WebSphere Application Server that allows bypassing security controls. Such a vulnerability can potentially lead to unauthorized access, data breaches, or manipulation of sensitive information.
Because of its severity and impact on confidentiality, integrity, and availability (all rated high), this vulnerability could negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.
Organizations using affected versions of IBM WebSphere Application Server should apply the recommended fixes promptly to maintain compliance and reduce the risk of regulatory violations.