What are CVE-2026-8644, CVE-2026-9311, and CVE-2026-9319?
On June 1, 2026, IBM disclosed three critical vulnerabilities affecting IBM WebSphere Application Server versions 8.5 and 9.0. All three are network-exploitable, require no authentication, and were published together, which makes them a single coordinated patching event rather than three isolated issues.
CVE-2026-8644 is an identity spoofing vulnerability (CWE-290, authentication bypass by spoofing). The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical). It allows an unauthenticated attacker to impersonate legitimate users or system components by exploiting how the server validates identity information, leading to unauthorized access and privilege escalation. Exploitation requires no valid credentials and no user interaction.
CVE-2026-9311 is a remote code execution vulnerability (CWE-94, code injection). The vulnerability carries a CVSS v3.1 base score of 9.0 (Critical). It stems from a bypass of security controls that lets an attacker reach a code execution path the controls were meant to protect, resulting in arbitrary code execution on the server. The attack is unauthenticated but carries high attack complexity.
CVE-2026-9319 is a remote code execution vulnerability (CWE-502, deserialization of untrusted data). The vulnerability carries a CVSS v3.1 base score of 9.0 (Critical). It affects JAX-WS endpoints that have WS-Security enabled: an unauthenticated attacker can send crafted serialized Java objects to such an endpoint and trigger deserialization that executes arbitrary code. Like CVE-2026-9311, it is unauthenticated with high attack complexity.
No public proof-of-concept exploit and no evidence of exploitation in the wild had been reported for any of the three at the time of writing.
What assets are affected by these vulnerabilities?
All three vulnerabilities affect IBM WebSphere Application Server (traditional) versions 8.5 and 9.0, specifically releases below 8.5.5.30 and 9.0.5.29. The flaws are in the core application server, so any deployment in that version range is potentially in scope regardless of the applications running on top of it.
In practice, an affected asset is a Java EE application server fronting business applications: web portals, banking and insurance back ends, retail commerce platforms, and internal services exposed to partners. WebSphere commonly sits behind a web tier and terminates SOAP and JAX-WS web service traffic, which is exactly the surface CVE-2026-9319 targets.
These servers tend to be long-lived and deeply integrated, which is what keeps them internet-facing and hard to retire. WebSphere 8.5 in particular is an older release that many organizations continue to run in production well past the point where a clean upgrade would have been straightforward, leaving exposed instances that are easy to overlook in an asset inventory.
Are fixes available?
Yes. IBM has published interim fixes for all three vulnerabilities, tracked under APAR PH71422 (CVE-2026-8644), PH71453 (CVE-2026-9311), and PH71454 (CVE-2026-9319). Organizations can apply these now after bringing their installation up to the minimum fix pack level that the interim fix requires.
Full fix packs that roll up the corrections, 8.5.5.30 for the 8.5 stream and 9.0.5.29 for the 9.0 stream, are targeted for availability in the third quarter of 2026. Until those ship, the interim fixes are the supported remediation path rather than a temporary workaround.
Because the three issues affect the same product versions and were disclosed together, they are best remediated as one bundle in a single maintenance window. Defenders should confirm current fix status directly with IBM rather than assuming a given fix pack already contains all three corrections.
Are there any other recommended actions to take?
Until the full fix packs are applied, defenders should:
- Inventory all WebSphere 8.5 and 9.0 instances, including forgotten internet-facing servers
- Restrict network access to JAX-WS and WS-Security endpoints from untrusted sources
- Monitor authentication logs for anomalies that suggest identity spoofing attempts
- Watch for deserialization errors and unexpected serialized-object traffic to web service endpoints
- Audit recent privileged sessions and role changes for signs of impersonation
- Begin migration planning for WebSphere 8.5 instances approaching end of support
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-8644, CVE-2026-9311, and CVE-2026-9319 in the CyCognito platform and is actively researching enhanced detection capabilities for these vulnerabilities.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
