IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used as Transport Protocol
Summary
| CVE | CVE-2026-13773 |
|---|---|
| State | PUBLISHED |
| Assigner | ibm |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 20:17:29 UTC |
| Updated | 2026-07-02 18:26:29 UTC |
| Description | IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM. |
Risk And Classification
Primary CVSS: v3.1 10 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.034150000 probability, percentile 0.874380000 (date 2026-07-03)
Problem Types: CWE-918 | CWE-918 CWE-918 Server-Side Request Forgery (SSRF)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 10 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
| 3.1 | CNA | CVSS | 6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Websphere Extreme Scale | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | IBM | WebSphere Extreme Scale | affected 8.6.1.0 8.6.1.6 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.ibm.com/support/pages/node/7278594 | [email protected] | www.ibm.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
Solutions
CNA: Vulnerability is not applicable if Transport protocol is not Object Request Broker (ORB) rather IBM eXtremeIO (XIO) .Please do not use ORB as transport protocol and use XIO as transport protocol. Please follow the below document for setting XIO as transport protocol https://www.ibm.com/docs/en/SSTVLU_8.6.1/com.ibm.websphere.extremescale.doc/txsconfigxstransport.html ORB is deprecated and we have removed ORB support from 8.6.2.* version . We recommend customers to migrate to 8.6.2.*.