CVE-2026-13759
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs.
Risk Assessment
The organization is at risk of remote code execution (RCE) on WebSphere servers, potentially leading to full compromise of applications and data, as well as lateral movement within the cluster.
Recommendation
Immediately upgrade IBM WebSphere Extreme Scale to version 8.6.1.7 or later, which includes a fix for this vulnerability. Until the update is applied, restrict access to management interfaces and replication network, and monitor for suspicious activity.
Original NVD description (English source)
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteConstructor.readResolve and PriorityQueue/ExtractorComparator are confirmed working, allowing a post-login attacker who can write a session attribute or a LAN-adjacent attacker on the grid replication wire to execute arbitrary code on peer WAS JVMs

