CVE-2026-9330: IBM WebSphere Deserialization RCE in SAML SSO
IBM WebSphere Application Server versions 8.5 and 9.0 contain a flaw in how they validate incoming data during user authentication via SAML (Security Assertion Markup Language) web single sign-on. An attacker with valid login credentials can send a specially crafted request that, when processed through a vulnerable deserialization pathway, may execute arbitrary code on the server. This risk is elevated because it requires only basic authentication and can impact systems across an organization's trust boundary.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-502
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper input validation during Java object deserialization within the SAML Web SSO component. Specifically, the flaw allows an authenticated attacker to submit a malicious serialized object that, when deserialized without sufficient type checking, can chain together publicly available gadget classes (library methods already present in the application classpath) to achieve remote code execution. The attack vector is network-accessible, though exploitation requires valid user credentials and careful construction of the gadget chain, which raises the attack complexity to 'high.' The scope is changed because successful exploitation can affect confidentiality, integrity, and availability across connected systems and services relying on the compromised application server.
Business impact
Successful exploitation allows an insider or compromised user account to execute arbitrary code with the privileges of the WebSphere process, potentially leading to data exfiltration, system compromise, lateral movement within the network, and service disruption. Organizations using WebSphere for mission-critical middleware or federation scenarios face heightened risk if user account hygiene is weak or if user credentials have been leaked. The compromise of a centralized authentication provider can cascade across multiple downstream applications.
Affected systems
IBM WebSphere Application Server 8.5 and 9.0 are confirmed affected. Organizations running these versions with SAML Web SSO enabled should prioritize assessment. Later or earlier versions may have different vulnerability status; verify against IBM's official security bulletins for complete product scope.
Exploitability
Exploitation requires a valid user account and sophisticated payload construction (gadget chain assembly), making opportunistic mass exploitation unlikely. However, the attack is practical for a determined adversary with internal access or valid credentials obtained through phishing or credential compromise. The network accessibility and high-severity impact make this a priority despite the authentication requirement.
Remediation
Apply security updates from IBM as they become available. Interim controls include restricting network access to WebSphere administrative and SSO endpoints, enforcing multi-factor authentication for user accounts, monitoring and limiting gadget-chain-enabling libraries in the application classpath if operationally feasible, and enhancing inspection of SAML assertion handling logs.
Patch guidance
Consult IBM's official security advisories and the WebSphere security update schedule for patch availability and version-specific remediation steps. Apply updates to a test environment first to validate compatibility with custom extensions and integrated applications. Verify the patch version against IBM's announcement to ensure complete coverage of CVE-2026-9330.
Detection guidance
Monitor WebSphere logs for deserialization warnings, unusual SAML assertion processing errors, and unexpected exception stack traces involving serialization classes. Network-level detection should flag anomalous HTTP requests to SAML endpoints, particularly those with large or binary payloads. Endpoint detection and response (EDR) tools should watch for process spawning from the WebSphere JVM process that is inconsistent with normal operational behavior. Correlate authentication logs with these indicators to identify compromised user sessions.
Why prioritize this
The combination of high CVSS score (8.5), network accessibility, and impact on identity and access control systems makes this a near-term priority. While the authentication prerequisite reduces the attack surface compared to unauthenticated RCE vulnerabilities, the potential for credential compromise or insider threats warrants urgent patching. This is especially critical if WebSphere serves as a hub for enterprise SSO or hosts sensitive business logic.
Risk score, explained
The CVSS 3.1 score of 8.5 (HIGH) reflects network accessibility, high attack complexity due to gadget chain construction requirements, the need for legitimate user privileges, and the full impact on confidentiality, integrity, and availability. The 'changed scope' rating acknowledges that WebSphere typically operates as a trusted infrastructure component, so compromise extends beyond the server itself to dependent systems and users.
Frequently asked questions
Does this vulnerability affect WebSphere versions older than 8.5 or newer than 9.0?
The advisory confirms vulnerability in versions 8.5 and 9.0. Organizations running other versions should reference IBM's official security bulletin to confirm their patch status, as version scope may expand or contract with additional analysis.
Is this vulnerability exploitable without valid user credentials?
No. The vulnerability requires an authenticated user session or valid login credentials. This significantly raises the barrier to exploitation compared to unauthenticated remote code execution flaws, but emphasizes the importance of strong access controls and credential hygiene.
What is a gadget chain and why does it matter here?
A gadget chain is a sequence of method calls within existing Java libraries that, when invoked through deserialization, can be chained together to execute arbitrary code. The attacker does not need to upload new code; they weaponize classes already present. Defense requires both patching the validation flaw and, in some cases, managing gadget-chain-enabling libraries.
If we are not using SAML SSO, are we still at risk?
If SAML Web SSO is not configured or enabled in your WebSphere deployment, this particular attack vector is not available. However, verify your configuration thoroughly, and apply patches anyway to avoid accidental exposure through future configuration changes or misconfigurations.
This analysis is provided for informational purposes to support vulnerability management and risk assessment. Organizations should verify all technical details, patch availability, and affected product versions against official IBM security advisories and their own environment configurations. SEC.co makes no warranty regarding the accuracy, completeness, or applicability of this information. Always test patches in a non-production environment before deployment. Consult IBM support and your organization's security team for environment-specific remediation advice. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation
- CVE-2026-37579HIGHSMSGate Remote Code Execution via CMPP7 Deserialization
- CVE-2026-38950HIGHESA AnomalyMatch Arbitrary Code Execution via Unsafe PyTorch Deserialization
- CVE-2026-39550HIGHAperitif Theme Remote Code Execution via Object Injection
- CVE-2026-39551HIGHTöbel Deserialization Remote Code Execution Vulnerability