CVE-2026-13773 in WebSphere Extreme Scaleinfo

Summary

by MITRE • 06/30/2026

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability exists within IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 where approximately 50 CORBA stub classes contained in the ogclient.jar file invoke ORB.string_to_object() with attacker-controlled IOR strings during Java deserialization processes. The flaw occurs when these stub classes are executed within a Java environment that processes unfiltered ObjectInputStream data, creating a dangerous attack vector that allows remote adversaries to initiate outbound IIOP Server-Side Request Forgery attacks against arbitrary hosts of their choosing. The vulnerability represents a critical security weakness classified under CWE-502 as Deserialization of Untrusted Data, where the deserialization process becomes a conduit for malicious code execution through the CORBA object reference mechanism.

The operational impact of this vulnerability is severe as it enables attackers to perform outbound network connections from the target system to any host they control, potentially bypassing network segmentation and firewall restrictions. The SSRF capability allows threat actors to probe internal networks, exfiltrate data, or establish command and control channels without requiring direct access to the vulnerable system. When combined with the IBM ORB's getUserException class-instantiation flaw known as WAS-26, the security implications escalate dramatically from simple network reconnaissance to full remote code execution capabilities within the calling JVM environment. This chaining of vulnerabilities transforms what might initially appear as a network-level issue into a critical remote code execution vulnerability that can compromise entire application servers.

The technical exploitation requires an attacker to first identify a vulnerable Java deserialization endpoint within WebSphere Application Server that processes unfiltered ObjectInputStream data, then craft malicious serialized objects containing attacker-controlled IOR strings. The ORB.string_to_object() method call transforms these strings into CORBA object references that trigger outbound IIOP connections, enabling the SSRF attack. The integration with WAS-26 vulnerability allows attackers to leverage the getUserException mechanism to instantiate arbitrary classes on the target system, effectively bypassing standard security restrictions. This combination creates a powerful exploitation chain that operates entirely within the JVM's deserialization framework and represents a sophisticated attack pattern aligned with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1133 for External Remote Services.

Organizations should implement immediate mitigations including disabling unnecessary deserialization endpoints, implementing strict input validation for all ObjectInputStream processing, and applying IBM security patches specific to WebSphere Extreme Scale versions affected by this vulnerability. Network segmentation should be enforced to limit outbound connections from application servers, while monitoring systems should be configured to detect unusual IIOP traffic patterns. The fix requires updating to IBM WebSphere Extreme Scale versions that address both the CORBA stub deserialization flaw and the getUserException class instantiation vulnerability, ensuring that all affected components receive proper security updates. Additionally, organizations should conduct comprehensive assessments of their Java applications to identify any other potential deserialization sinks that could be exploited in similar fashion, implementing principle of least privilege configurations and regular security audits to prevent future exploitation attempts.

Responsible

Ibm

Reservation

06/29/2026

Disclosure

06/30/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!