IBM WAS 8.5-9.0 RCE via Deserialization in JAX-WS WS-Security: CVE-2026-9319 June 2026

IBM WebSphere Application Server is affected by a remote code execution vulnerability
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.

Vulnerability Analysis

CVE-2026-9319 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-9319 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2026-9319

Want to know whenever a new CVE is published for IBM WebSphere Application Server? stack.watch will email you.

IBM WAS 8.5-9.0 RCE via Deserialization in JAX-WS WS-Security
CVE-2026-9319 Published on June 1, 2026

Vulnerability Analysis

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

Products Associated with CVE-2026-9319

Affected Versions

IBM WAS 8.5-9.0 RCE via Deserialization in JAX-WS WS-SecurityCVE-2026-9319 Published on June 1, 2026

Vulnerability Analysis

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

Products Associated with CVE-2026-9319

Affected Versions

IBM WAS 8.5-9.0 RCE via Deserialization in JAX-WS WS-Security
CVE-2026-9319 Published on June 1, 2026