Remote Code Execution Risk in IBM WebSphere eXtreme Scale Product
CVE-2026-13773

6MEDIUM

Key Information:

Vendor: IBM
Status: Websphere Extreme Scale
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-13773?

A vulnerability in IBM WebSphere eXtreme Scale versions 8.6.1.0 to 8.6.1.6 allows for execution of untrusted code through improper handling of Java deserialization. This is initiated when multiple generated CORBA stub classes within the ogclient.jar file invoke ORB.string_to_object() on an attacker-controlled IOR string. As a result, any unfiltered ObjectInputStream sink in WebSphere Application Server (WAS) may become an outbound IIOP Server-Side Request Forgery (SSRF) targeting a specified host. When exploited in conjunction with a specific flaw in the IBM ORB's getUserException class-instantiation, this SSRF can escalate to a remote code execution scenario on the calling Java Virtual Machine (JVM).

Affected Version(s)

WebSphere Extreme Scale 8.6.1.0 <= 8.6.1.6

References

https://www.ibm.com/support/pages/node/7278594

vendor-advisorypatch

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13773 Data

JSON