CVE-2026-10845 Overview
CVE-2026-10845 is an authentication bypass vulnerability affecting IBM WebSphere Application Server versions 8.5 and 9.0. A remote attacker can bypass authentication controls and gain unauthorized access to Java API for XML Web Services (JAX-WS) applications hosted on the server. The flaw is classified under [CWE-287] Improper Authentication and is network-exploitable without user interaction or prior privileges. IBM has published a security advisory and remediation guidance on its support portal.
Critical Impact
Remote attackers can bypass authentication and access protected JAX-WS web services, leading to unauthorized exposure of application data and functionality.
Affected Products
- IBM WebSphere Application Server 8.5
- IBM WebSphere Application Server 9.0
- Deployments on IBM AIX, IBM i, IBM z/OS, Linux, and Microsoft Windows
Discovery Timeline
- 2026-06-22 - CVE-2026-10845 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-10845
Vulnerability Analysis
The vulnerability resides in how IBM WebSphere Application Server enforces authentication on JAX-WS application endpoints. JAX-WS is the standard Java framework used to build and consume SOAP-based web services. A flaw in the authentication enforcement logic allows specially crafted requests to reach protected services without valid credentials.
Because the issue is reachable over the network and requires no user interaction, attackers can target exposed WebSphere instances directly. Successful exploitation grants access to JAX-WS application logic and any data accessible through those services. The vulnerability affects confidentiality, integrity, and availability at a limited scope.
Root Cause
The root cause is improper authentication enforcement [CWE-287] in the JAX-WS request processing path. The server fails to consistently validate authentication credentials before dispatching requests to JAX-WS application handlers. Attackers can exploit this gap to invoke service operations that should require an authenticated session.
Attack Vector
The attack vector is network-based. An attacker sends crafted SOAP or HTTP requests to a JAX-WS endpoint hosted on a vulnerable WebSphere instance. No credentials, tokens, or user interaction are required to reach the vulnerable code path. Once authentication is bypassed, the attacker can invoke web service operations and retrieve or modify data exposed through those operations.
No public proof-of-concept exploit is available at the time of publication. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS score is 0.337%.
Detection Methods for CVE-2026-10845
Indicators of Compromise
- Unauthenticated HTTP or SOAP requests reaching JAX-WS endpoints that normally require authentication
- Successful HTTP 200 responses to web service requests lacking valid Authorization, WS-Security, or session cookie headers
- Access patterns to JAX-WS service URIs from unexpected source IPs or geographies
Detection Strategies
- Review WebSphere access logs for requests to JAX-WS endpoints that returned success codes without prior authentication events
- Correlate web service invocation logs with authentication audit logs to identify sessions missing a preceding login
- Deploy WAF or API gateway rules that flag SOAP requests to protected services without security headers
Monitoring Recommendations
- Enable verbose security auditing in WebSphere and forward logs to a centralized SIEM for correlation
- Monitor outbound data volume from WebSphere hosts for unexpected spikes that may indicate data exfiltration through web services
- Track changes to JAX-WS application configurations and security role bindings
How to Mitigate CVE-2026-10845
Immediate Actions Required
- Inventory all WebSphere Application Server 8.5 and 9.0 instances and identify those exposing JAX-WS applications
- Apply the IBM-provided fix referenced in the IBM Support Page as soon as feasible
- Restrict network exposure of WebSphere management and application ports to trusted networks only
Patch Information
IBM has published remediation details on the IBM Support Page. Administrators should consult the advisory for the specific interim fix (PH/APAR) corresponding to their WebSphere 8.5 or 9.0 fix pack level and apply it following standard change-management procedures. Restart affected JVMs after applying the fix to ensure the patched authentication logic is loaded.
Workarounds
- Place affected JAX-WS endpoints behind an authenticating reverse proxy or API gateway until the patch is applied
- Disable or unbind JAX-WS applications that are not actively required for business operations
- Tighten WebSphere security role mappings and require WS-Security policies on all SOAP services
# Configuration example
# Restrict access to WebSphere JAX-WS endpoints at the network layer
# Example iptables rule allowing only trusted subnet access to port 9080
iptables -A INPUT -p tcp --dport 9080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

