CVE-2026-9311

IBM WebSphere Application Server is affected by remote code execution

Assigner: ibm
Reserved: 22.05.2026 Published: 01.06.2026 Updated: 02.06.2026

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	IBM
Product	WebSphere Application Server
Versions	affected from 9.0 to 1.1.9.12 (incl.) Version 8.5 is affected

Vendor

IBM

Product

WebSphere Application Server

Versions

affected from 9.0 to 1.1.9.12 (incl.)
Version 8.5 is affected

Solutions

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71453.

For IBM WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71453 https://www.ibm.com/support/pages/node/7274233 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).

For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71453 https://www.ibm.com/support/pages/node/7274233 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).

Additional interim fixes may be available and linked off the interim fix download page.

References

Problem Types