High

Remote Code Execution via Deserialization in IBM WebSphere Application Server SAML Web SSO

IdentifiersCVE-2026-9330CWE-502· Deserialization of Untrusted Data

CVE-2026-9330 affects IBM WebSphere Application Server 9.0 and 8.5. The vulnerability is caused by improper validation of user-supplied data during deserialization in the SAML Web Single Sign-On processing component. An attacker can send a crafted HTTP request that reaches the vulnerable SAML processing path and triggers deserialization of untrusted data. If a suitable gadget chain is present in the target environment, this can be leveraged to achieve remote code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in remote code execution in the context of the affected WebSphere Application Server process. This may allow an attacker to execute arbitrary payloads remotely, deploy malware, gain unauthorized access to the application server environment, and potentially pivot further within the enterprise environment depending on the privileges and connectivity of the compromised server.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the SAML Web Single Sign-On component to untrusted networks, restrict access to endpoints that process SAML authentication traffic, and limit inbound HTTP requests to trusted identity providers and administrative network paths only. Because exploitation depends on attacker-controlled deserialization input and a usable gadget chain, minimizing reachable attack surface and reducing unnecessary libraries/classes in the runtime may lower risk, but vendor fixes are the primary mitigation.

Remediation

Patch, then assume compromise.

Apply IBM's security updates and interim fixes for the affected traditional WebSphere Application Server 9.0 and 8.5 releases. The provided content indicates IBM issued bulletin-backed fixes and references interim remediation through APARs, with broader upgrade packs planned subsequently. Administrators should deploy the vendor-provided fixes for CVE-2026-9330 as soon as possible and upgrade to a fixed release level when available.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

International Business MachinesWebsphere Application Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jun 5, 2026

IBM WebSphere Execution Flaws: Critical Patches Issued

A critical IBM WebSphere deserialization vulnerability in the SAML processing component that may enable remote code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-9330

NVD

nvd.nist.gov/vuln/detail/CVE-2026-9330

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Vendor Advisory

ibm.com/support/pages/node/7274733