CVE-2026-13773 (GCVE-0-2026-13773)

Vulnerability from cvelistv5 – Published: 2026-06-30 19:20 – Updated: 2026-06-30 19:37
VLAI
Title
IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol
Summary
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7278594 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM WebSphere Extreme Scale Affected: 8.6.1.0 , ≤ 8.6.1.6 (semver)
    cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13773",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T19:37:43.519923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T19:37:59.403Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*"
          ],
          "product": "WebSphere Extreme Scale",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "8.6.1.6",
              "status": "affected",
              "version": "8.6.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale\u0027s ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB\u0027s getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.\u003c/p\u003e"
            }
          ],
          "value": "IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale\u0027s ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB\u0027s getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T19:20:49.312Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7278594"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVulnerability is not applicable if Transport protocol is not Object Request Broker (ORB) \u00a0rather IBM eXtremeIO (XIO) .Please do not use ORB as transport protocol and use XIO as transport protocol. Please follow the below document for setting XIO as transport protocol\u003cbr/\u003e\u003ca href=\"https://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html\" rel=\"nofollow\"\u003ehttps://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html\u003c/a\u003e\u003cbr/\u003eORB is deprecated and we have removed ORB support from 8.6.2.* version . We recommend customers to migrate to 8.6.2.*.\u003c/p\u003e"
            }
          ],
          "value": "Vulnerability is not applicable if Transport protocol is not Object Request Broker (ORB) \u00a0rather IBM eXtremeIO (XIO) .Please do not use ORB as transport protocol and use XIO as transport protocol. Please follow the below document for setting XIO as transport protocol\n https://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html \nORB is deprecated and we have removed ORB support from 8.6.2.* version . We recommend customers to migrate to 8.6.2.*."
        }
      ],
      "title": "IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2026-13773",
    "datePublished": "2026-06-30T19:20:49.312Z",
    "dateReserved": "2026-06-29T21:52:34.923Z",
    "dateUpdated": "2026-06-30T19:37:59.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-13773",
      "date": "2026-07-01",
      "epss": "0.03013",
      "percentile": "0.85771"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-13773\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2026-06-30T20:17:29.227\",\"lastModified\":\"2026-07-01T13:58:54.010\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale\u0027s ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB\u0027s getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.\"}],\"affected\":[{\"source\":\"psirt@us.ibm.com\",\"affectedData\":[{\"vendor\":\"IBM\",\"product\":\"WebSphere Extreme Scale\",\"cpes\":[\"cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*\",\"cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"8.6.1.0\",\"lessThanOrEqual\":\"8.6.1.6\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-30T19:37:43.519923Z\",\"id\":\"CVE-2026-13773\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7278594\",\"source\":\"psirt@us.ibm.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-13773\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-30T19:37:43.519923Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-30T19:37:50.394Z\"}}], \"cna\": {\"title\": \"IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"WebSphere Extreme Scale\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.6.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.6.1.6\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Vulnerability is not applicable if Transport protocol is not Object Request Broker (ORB) \\u00a0rather IBM eXtremeIO (XIO) .Please do not use ORB as transport protocol and use XIO as transport protocol. Please follow the below document for setting XIO as transport protocol\\n https://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html \\nORB is deprecated and we have removed ORB support from 8.6.2.* version . We recommend customers to migrate to 8.6.2.*.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eVulnerability is not applicable if Transport protocol is not Object Request Broker (ORB) \\u00a0rather IBM eXtremeIO (XIO) .Please do not use ORB as transport protocol and use XIO as transport protocol. Please follow the below document for setting XIO as transport protocol\u003cbr/\u003e\u003ca href=\\\"https://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html\\\" rel=\\\"nofollow\\\"\u003ehttps://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html\u003c/a\u003e\u003cbr/\u003eORB is deprecated and we have removed ORB support from 8.6.2.* version . We recommend customers to migrate to 8.6.2.*.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7278594\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale\u0027s ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB\u0027s getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale\u0027s ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB\u0027s getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918 Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2026-06-30T19:20:49.312Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-13773\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T19:37:59.403Z\", \"dateReserved\": \"2026-06-29T21:52:34.923Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2026-06-30T19:20:49.312Z\", \"assignerShortName\": \"ibm\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…