IBM has disclosed three critical vulnerabilities in IBM WebSphere Application Server versions 8.5 and 9.0, tracked as CVE-2026-8644, CVE-2026-9311, and CVE-2026-9319. The vulnerabilities include identity spoofing (CVSS 9.1) and two remote code execution vectors (both CVSS 9.0) via security control bypass and JAX-WS deserialization. Organisations running WebSphere Application Server in production should apply all three fixes in a single coordinated maintenance window.

What Are the Vulnerabilities?

The three vulnerabilities were disclosed simultaneously on June 1, 2026 and affect the same product versions. They should be treated as a coordinated patch bundle:

CVE-2026-8644 — Identity Spoofing (CVSS 9.1): An authentication bypass vulnerability that allows an attacker to spoof the identity of legitimate users. Classified under CWE-290 (Authentication Bypass by Spoofing), this vulnerability undermines the core authentication mechanism of the application server, enabling an attacker to impersonate any user — including administrative accounts — and access protected resources and functionality.

CVE-2026-9311 — Remote Code Execution via Security Control Bypass (CVSS 9.0): A code injection vulnerability caused by the bypass of security controls within WebSphere. An attacker who exploits this vulnerability can execute arbitrary code on the server, achieving full system compromise. Classified under CWE-94 (Code Injection).

CVE-2026-9319 — Remote Code Execution via JAX-WS Deserialization (CVSS 9.0): A deserialization of untrusted data vulnerability in JAX-WS (Java API for XML Web Services) endpoints with WS-Security enabled. An attacker can send malicious serialized Java objects to these endpoints, triggering deserialization that leads to arbitrary code execution. Classified under CWE-502 (Deserialization of Untrusted Data). Java deserialization vulnerabilities have historically been among the most dangerous and widely exploited vulnerability classes — the 2017 Equifax breach (CVE-2017-5638 in Apache Struts) is the most notorious example.

• CVE-2026-8644: CVSS 9.1 Critical — Identity spoofing
• CVE-2026-9311: CVSS 9.0 Critical — RCE via security control bypass
• CVE-2026-9319: CVSS 9.0 Critical — RCE via JAX-WS deserialization

Which Versions Are Affected?

All three vulnerabilities affect IBM WebSphere Application Server:

• IBM WebSphere Application Server 8.5 — all versions prior to the fix pack addressing these CVEs
• IBM WebSphere Application Server 9.0 — all versions prior to the fix pack addressing these CVEs

WebSphere Application Server is IBM’s flagship Java EE application server, deployed across enterprise, financial services, insurance, government, and telecommunications environments globally. It hosts business-critical applications and is deeply integrated with backend databases, message queues, and enterprise service buses. The broad deployment footprint and the criticality of the applications it hosts make these vulnerabilities particularly high-impact.

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed at the time of writing. However, Java deserialization vulnerabilities (CVE-2026-9319) have a well-established track record of rapid weaponisation — they are consistently among the most targeted vulnerability classes in enterprise software. The simultaneous disclosure of three critical vulnerabilities in the same product increases the risk profile: an attacker who gains access via the identity spoofing vulnerability (CVE-2026-8644) can then exploit either RCE vector (CVE-2026-9311 or CVE-2026-9319) to escalate to full server compromise. The combination of authentication bypass plus remote code execution in a single product version is a dangerous pairing. Organisations should patch proactively and not wait for confirmed exploitation.

What Are the Fixes?

IBM has released fixes for all three vulnerabilities. Administrators should apply the appropriate IBM WebSphere fix pack or interim fix for their version:

• CVE-2026-8644 (Identity Spoofing): IBM Support — node/7274740
• CVE-2026-9311 (RCE — Security Bypass): IBM Support — node/7274733
• CVE-2026-9319 (RCE — Deserialization): IBM Support — node/7274738

Apply the fix pack or interim fix that bundles all three patches in a single maintenance window. Verify the installed patch level via the WebSphere Integrated Solutions Console or the versionInfo command.

Recommendations

Apply all three fixes together in your next maintenance window. These vulnerabilities affect the same product versions and were disclosed together — treat them as a single coordinated patch event. The combination of identity spoofing (CVSS 9.1) plus two RCE vectors (CVSS 9.0 each) makes this a high-risk bundle. Do not defer patching.

Audit your WebSphere inventory. WebSphere instances are often deployed in environments where they were installed years ago as the foundation for critical business applications. Identify all WebSphere instances across development, test, staging, and production environments and verify the patch level. Pay special attention to WebSphere 8.5 instances, which may be running legacy applications with extended support contracts and conservative patching policies.

Review JAX-WS endpoint exposure. CVE-2026-9319 specifically targets JAX-WS endpoints with WS-Security. Audit your WebSphere configuration to identify which JAX-WS endpoints are exposed, particularly those accessible from untrusted networks. Restrict access to JAX-WS endpoints to only trusted application tiers and authenticated clients. Consider disabling WS-Security on endpoints where it is not strictly required as a defence-in-depth measure.

Monitor for post-patch exploitation attempts. After applying the fixes, monitor WebSphere security audit logs for: authentication anomalies that could indicate attempted identity spoofing, unexpected JAX-WS endpoint access from unrecognised sources, and deserialization errors or exceptions that could indicate attempted exploitation of CVE-2026-9319. Configure your SIEM to alert on these patterns.

Plan for WebSphere lifecycle management. WebSphere 8.5 is an older release with a finite support window. If your organisation is still running WebSphere 8.5 in production, use this patching event as an opportunity to begin planning migration to a more current, fully supported version — or evaluate alternative application server platforms as part of your technology refresh cycle.

References

• IBM Support — CVE-2026-8644 (Identity Spoofing)
• IBM Support — CVE-2026-9311 (RCE — Security Bypass)
• IBM Support — CVE-2026-9319 (RCE — Deserialization)
• NVD: CVE-2026-8644
• NVD: CVE-2026-9311
• NVD: CVE-2026-9319
• Vulnerability Intelligence Report — June 2, 2026

---

This advisory was first covered in the broader Vulnerability Intelligence Report — June 2, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.