Remote Code Execution Vulnerability in IBM WebSphere Extreme Scale
CVE-2026-13759

7.5HIGH

Key Information:

Vendor: IBM
Status: Websphere Extreme Scale
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-13759?

IBM WebSphere Extreme Scale versions 8.6.1.0 to 8.6.1.6 contain a vulnerability due to three insecure ObjectInputStream subclasses that do not implement JEP-290 class filters. This security gap allows an attacker, either post-login or a LAN-adjacent adversary, to leverage multiple RCE gadget chains, including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator, to execute arbitrary code on peer WebSphere Application Server (WAS) JVMs when the Coherence library is present on the classpath.

Affected Version(s)

WebSphere Extreme Scale 8.6.1.0 <= 8.6.1.6

References

https://www.ibm.com/support/pages/node/7278595

vendor-advisorypatch

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13759 Data

JSON