CVE-2026-13759 PUBLISHED

IBM WebSphere eXtreme Scale is affected by Insecure Deserilization

Assigner: ibm
Reserved: 29.06.2026 Published: 30.06.2026 Updated: 01.07.2026

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.5

Product Status

Vendor IBM
Product WebSphere Extreme Scale
Versions
  • affected from 8.6.1.0 to 8.6.1.6 (incl.)

Solutions

We recommend customer to enable encryption. Please follow the link to enable encryption. https://www.ibm.com/docs/en/wxs/latest?topic=sydgies-securing-data-that-flows-between-extreme-scale-clients-servers-ssl-encryption.

For extra security customer can enable JEP 290 global JVM deserialization filter (-Djdk.serialFilter) while starting catalog and container servers.JEP 290 is available from 8.0.8.5 onwards.

References

Problem Types

  • CWE-502 Deserialization of Untrusted Data CWE