IBM WebSphere eXtreme Scale's OQL is affected by remote code execution
Summary
| CVE | CVE-2026-13772 |
|---|---|
| State | PUBLISHED |
| Assigner | ibm |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 20:17:29 UTC |
| Updated | 2026-07-03 04:17:40 UTC |
| Description | IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries |
Risk And Classification
Primary CVSS: v3.1 9.9 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.002830000 probability, percentile 0.201400000 (date 2026-07-03)
Problem Types: CWE-470 | NVD-CWE-noinfo | CWE-470 CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Websphere Extreme Scale | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | IBM | WebSphere Extreme Scale | affected 8.6.1.0 8.6.1.6 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.ibm.com/support/pages/node/7278593 | [email protected] | www.ibm.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
Solutions
CNA: If eXtreme Scale is being used as a Session Cache (Session Grid), this vulnerability is not applicable. In a Session Grid deployment, applications typically use eXtreme Scale only to store and retrieve HTTP session data and do not create or execute Object Query Language (OQL) queries against the session data. As a result, the vulnerable OQL functionality is not exercised.If eXtreme Scale is being used as a Simple Grid and the application executes OQL queries, the risk can be mitigated through application code changes. Recommended mitigation strategies include:1. Never concatenate user-supplied input directly into OQL statements. Use query parameters wherever possible.2. Restrict dynamically specified class names to a predefined allow list of approved classes.3. Do not allow end users to construct or modify OQL query syntax.4. Avoid dynamically loading comparator classes or using reflection-based sorting based on user input.5. Validate and sanitize all user-supplied values before they are used to construct OQL queries.These mitigations help prevent untrusted input from influencing OQL execution and eliminate the attack paths associated with this vulnerability.