Back

Critical Vulnerabilities in IBM WebSphere Allow Remote Code Execution

Severity: High (Score: 72.6)

Sources: Cybersecuritynews, Heise.De, www.ibm.com

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: websphere, server, security, application, code, crafted, attackers

Summary

IBM has disclosed multiple critical vulnerabilities in its WebSphere Application Server, including CVE-2026-8633, which allows remote code execution via crafted HTTP requests. Other vulnerabilities, such as CVE-2026-9311, CVE-2026-9319, and CVE-2026-8644, enable attackers to bypass security controls and execute malicious code. The flaws primarily affect enterprise environments using WebSphere, raising significant risks for organizations reliant on these systems. Administrators are urged to apply security patches promptly, as there is no indication of active exploitation yet. IBM has also addressed vulnerabilities in its Business Automation Workflow, with CVE-2026-33186 allowing authentication bypass. The security updates are available in specific versions of the affected software. The situation remains critical as organizations work to secure their systems. Key Points: • Multiple critical vulnerabilities in IBM WebSphere Application Server allow remote code execution. • CVE-2026-8633 enables arbitrary code execution through crafted HTTP requests. • Administrators must apply security patches immediately to mitigate risks.

Detailed Analysis

**Impact** Enterprises using IBM WebSphere Application Server and Business Automation Workflow are affected, with potential full system compromise. The vulnerabilities impact central business process automation, risking operational disruption and unauthorized access to sensitive data. The scope includes environments globally where these products are deployed, particularly those using JAX-WS endpoints with WS-Security and gRPC-Go components. No specific sector or geographic data is provided. **Technical Details** Attackers exploit multiple critical vulnerabilities (CVE-2026-9311, CVE-2026-9319, CVE-2026-8644, CVE-2026-33186) and a separate critical flaw (CVE-2026-8633) via crafted HTTP requests and bypassing authentication mechanisms. Exploits enable security control bypass, remote code execution, and user impersonation, primarily targeting WebSphere Application Server and Business Automation Workflow components, including optional Web Server Plug-ins and gRPC-Go. No malware or specific TTPs beyond crafted requests are detailed. Indicators of compromise (IOCs) are not provided. **Recommended Response** Apply IBM security updates immediately, including interim fixes for CVE-2026-9330 until full patches are released in Q3. Update to versions 24.0.0-IF009, 24.0.1-IF007, 25.0.0-IF005, and 25.0.1-IF001 for Business Automation Workflow. Harden configurations by securing JAX-WS endpoints and Web Server Plug-ins components. Monitor network traffic for unusual HTTP requests targeting WebSphere servers and implement detection rules for exploitation attempts.

Source articles (6)

  • IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request — Cybersecuritynews · 2026-06-01
    IBM has disclosed a critical security vulnerability in its WebSphere Application Server ecosystem that could allow attackers to execute arbitrary code through specially crafted HTTP requests. The flaw…
  • Security mechanisms in IBM WebSphere Application Server can be bypassed — Heise.De · 2026-06-03
    Attackers can exploit several vulnerabilities in IBM WebSphere Application Server and Business Automation Workflow and, in the worst case, gain full control over systems. Security updates provide a re…
  • CVE-2026-9311 — www.ibm.com · 2026-06-03
  • CVE-2026-9319 — www.ibm.com · 2026-06-03
  • CVE-2026-8644 — www.ibm.com · 2026-06-03
  • IBM Business Automation Workflow is vulnerable through more than ten vulnerabilities in total — www.ibm.com · 2026-06-03

Timeline

  • 2026-03-20 — CVE-2026-33186 published: A critical vulnerability in IBM Business Automation Workflow was disclosed, allowing authentication bypass.
  • 2026-04-07 — First public PoC for CVE-2026-33186: A proof of concept for the critical vulnerability in Business Automation Workflow was made public.
  • 2026-05-26 — CVE-2026-8633 published: IBM disclosed a critical vulnerability allowing remote code execution via crafted requests.
  • 2026-06-01 — CVE-2026-8644, 9311, and 9319 published: Three critical vulnerabilities were disclosed, enabling security control bypass and malicious code execution.
  • 2026-06-01 — CVE-2026-9330 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-01 — CVE-2026-9311 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-01 — CVE-2026-9319 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • Recent — Security patches released: IBM released security updates for affected versions of WebSphere and Business Automation Workflow.

CVEs

  • CVE-2026-33186
  • CVE-2026-8633
  • CVE-2026-8644
  • CVE-2026-9311
  • CVE-2026-9319
  • CVE-2026-9330

Related entities

  • Zero-day Exploit (Attack Type)
  • IBM (Company)
  • german.it (Domain)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • GRPC-Go (Platform)
  • IBM Business Automation Workflow (Platform)
  • IBM WebSphere Application Server (Platform)
  • WebSphere Application Server (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed