CVE Catalog

CVE-2026-13772

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 contains a vulnerability in the Object Query Language engine that resolves attacker-supplied class names via Class.forName() and invokes their constructors without an allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators). An authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values triggers the same gadget post-deserialization in a manner that bypasses JEP-290 serialization filters across grid node boundaries.

Risk Assessment

The risk for the organization includes remote arbitrary code execution by an authenticated attacker, potentially leading to full compromise of the WAS server, data confidentiality and integrity breaches, and service disruption.

Recommendation

It is recommended to immediately upgrade IBM WebSphere Extreme Scale to version 8.6.1.7 or later, which contains a fix for this vulnerability. Until the update is applied, restrict access to interfaces that allow influencing OQL queries and implement additional input validation mechanisms.

Original NVD description (English source)

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries

Vulnerability data from NVD (NIST) · CISA KEV · EPSS