CVE-2026-9311
Analyzed Analyzed - Analysis Complete
Remote Code Execution in IBM WebSphere Application Server

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: IBM Corporation

Description
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-04
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-9311
EUVD
EUVD-2026-33735
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ibm websphere_application_server From 8.5.0.0 (inc) to 8.5.5.30 (exc)
ibm websphere_application_server From 9.0.0.0 (inc) to 9.0.5.29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9311 is a vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5 that allows remote code execution. This occurs because an attacker can bypass security controls, leading to improper control of code generation or code injection.

Impact Analysis

This vulnerability has a critical severity with a CVSS base score of 9.0, meaning it can have a severe impact. An attacker exploiting this flaw could execute arbitrary code remotely, potentially leading to full compromise of the affected system, including complete control over confidentiality, integrity, and availability.

Mitigation Strategies

IBM recommends applying interim fixes or upgrading to specific fix packs to address the vulnerability in IBM WebSphere Application Server versions 9.0 and 8.5.

  • For version 9.0.0.0 through 9.0.5.28, either upgrade to the required fix pack levels and apply the interim fix for APAR PH71453 or apply Fix Pack 9.0.5.29 or later.
  • For version 8.5.0.0 through 8.5.5.29, upgrade to the required fix pack levels and apply the interim fix or apply Fix Pack 8.5.5.30 or later.

No workarounds or mitigations are currently available.

Compliance Impact

CVE-2026-9311 is a critical remote code execution vulnerability in IBM WebSphere Application Server that allows bypassing security controls. Such a vulnerability can potentially lead to unauthorized access, data breaches, or manipulation of sensitive information.

Because of its severity and impact on confidentiality, integrity, and availability (all rated high), this vulnerability could negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.

Organizations using affected versions of IBM WebSphere Application Server should apply the recommended fixes promptly to maintain compliance and reduce the risk of regulatory violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart