IBM discloses critical WebSphere Application Server vulnerabilities (CVE-2026-8644 etc.)

IBM disclosed three critical vulnerabilities in IBM WebSphere Application Server versions 8.5 and 9.0 on June 1, 2026. The flaws affect releases below 8.5.5.30 and 9.0.5.29. All three are network exploitable and require no authentication. They were published together as a single coordinated patching event. CVE-2026-8644 is an identity spoofing vulnerability with a CVSS v3.1 base score of 9.1. It allows an unauthenticated attacker to impersonate legitimate users or system components. This leads to un CVE-2026-9311 is a remote code execution vulnerability with a CVSS v3.1 base score of 9.0. It stems from a CVE-2026-9319 is a remote code execution vulnerability with a CVSS v3.1 base score of 9.0. It affects JAX-WS endpoints that have WS-Security enabled. An unauthenticated attacker can send crafted serialized Java objects to trigger deserialization that executes arbitrary code. No public proof of concept exploit and no evidence of exploitation in the wild had been reported for any of the three at the time of writing. Interim fixes are available under APAR PH71422 for CVE-2026-8644, PH71453 for CVE-2026-9311, and PH71454 for CVE-2026-9319. Full fix packs are targeted for the third quarter of 2026. Defenders should inventory all WebSphere 8.5 and 9.0 instances, including forgotten internet facing servers. They should restrict network access to JAX-WS and WS-Security endpoints from untrusted sources. Monitoring authentication logs for anomalies that suggest identity spoofing attempts is recommended. Watch for deserialization errors and unexpected serialized object traffic to web service endpoints. Audit recent privileged sessions and role changes for signs of impersonation. Begin migration planning for WebSphere 8.5 instances approaching end of support.