CVE-2026-13773 Overview
CVE-2026-13773 affects IBM WebSphere eXtreme Scale versions 8.6.1.0 through 8.6.1.6. Approximately 50 generated Common Object Request Broker Architecture (CORBA) stub classes in the ogclient.jar library invoke ORB.string_to_object() on an attacker-controlled Interoperable Object Reference (IOR) string during Java deserialization. This converts any unfiltered ObjectInputStream sink in WebSphere Application Server (WAS) into an outbound Internet Inter-ORB Protocol (IIOP) Server-Side Request Forgery (SSRF) against an attacker-chosen host. Chained with the IBM Object Request Broker (ORB) getUserException class-instantiation flaw tracked as WAS-26, the SSRF escalates to remote code execution on the calling Java Virtual Machine (JVM). The vulnerability is categorized under [CWE-918].
Critical Impact
Unauthenticated attackers can achieve remote code execution on affected WebSphere Application Server JVMs by chaining IIOP SSRF with the IBM ORB class-instantiation flaw.
Affected Products
- IBM WebSphere eXtreme Scale 8.6.1.0
- IBM WebSphere eXtreme Scale versions 8.6.1.1 through 8.6.1.5
- IBM WebSphere eXtreme Scale 8.6.1.6
Discovery Timeline
- 2026-06-30 - CVE-2026-13773 published to the National Vulnerability Database (NVD)
- 2026-07-02 - Last updated in the NVD database
Technical Details for CVE-2026-13773
Vulnerability Analysis
The flaw resides in generated CORBA stub classes bundled with ogclient.jar in WebSphere eXtreme Scale. Around 50 stub classes call ORB.string_to_object() during Java deserialization. The argument to this call is an IOR string extracted from attacker-controlled serialized data. Any unfiltered ObjectInputStream sink reachable in WebSphere Application Server therefore becomes an SSRF primitive that speaks IIOP to an arbitrary host and port.
SSRF alone would already expose internal services. However, chaining the primitive with the IBM ORB getUserException class-instantiation weakness (WAS-26) converts the outbound IIOP request into full remote code execution. The attacker-controlled IIOP endpoint returns a crafted response that forces the client ORB to instantiate an arbitrary class in the calling JVM, executing attacker logic in the server process.
Root Cause
The root cause is unsafe use of ORB.string_to_object() on untrusted input inside deserialization paths. The stub classes trust the IOR string sourced from the serialized byte stream. No allow-list restricts the target host, port, or object key of the resulting IIOP resolution. The related class-instantiation flaw in the IBM ORB compounds the issue by treating remote exception types as instantiable classes without validation.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction. An attacker submits crafted serialized Java data to any WebSphere endpoint that deserializes untrusted input. During deserialization, the CORBA stubs contact the attacker's IIOP listener. The listener replies with a payload that triggers the getUserException class-instantiation path, resulting in code execution in the WebSphere JVM context. For technical background, see the IBM Support Document.
Detection Methods for CVE-2026-13773
Indicators of Compromise
- Outbound IIOP or General Inter-ORB Protocol (GIOP) connections from WebSphere JVMs to unexpected external hosts on non-standard ports.
- Presence of ogclient.jar stub classes on the deserialization stack in application server thread dumps or error logs.
- WebSphere SystemOut.log entries showing ORB.string_to_object() calls preceding ClassNotFoundException or reflection-based instantiation errors.
- Unexpected child processes spawned by the WebSphere Application Server JVM.
Detection Strategies
- Inspect network egress from application servers for IIOP traffic and alert on any destination outside the approved CORBA infrastructure.
- Deploy Java agent instrumentation to trace calls to ORB.string_to_object() with parameters sourced from ObjectInputStream.
- Monitor for deserialization gadget signatures in HTTP, Remote Method Invocation (RMI), and Java Message Service (JMS) request bodies reaching WebSphere.
Monitoring Recommendations
- Enable verbose ORB logging on WebSphere and centralize logs in a Security Information and Event Management (SIEM) platform for correlation.
- Baseline outbound connections from WebSphere hosts and alert on new IIOP destinations.
- Track process lineage and file system writes originating from WebSphere JVM processes to catch post-exploitation activity.
How to Mitigate CVE-2026-13773
Immediate Actions Required
- Apply the IBM interim fix or upgrade referenced in the IBM Support Document on all affected WebSphere eXtreme Scale deployments.
- Restrict outbound network access from WebSphere JVMs to only required CORBA and IIOP endpoints using host-based or perimeter firewall rules.
- Audit application code and libraries for any ObjectInputStream sinks exposed to untrusted input and disable or wrap them with a serialization filter.
Patch Information
IBM has published remediation guidance and fix packs for WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6. Refer to the IBM Support Document for the authoritative list of interim fixes and upgrade paths. Update the IBM ORB alongside the eXtreme Scale fix to address the chained WAS-26 class-instantiation flaw.
Workarounds
- Configure a JEP 290 serialization filter (jdk.serialFilter) that rejects CORBA stub classes shipped in ogclient.jar.
- Block outbound IIOP and GIOP traffic from application server subnets at the network layer where CORBA is not required.
- Remove or isolate ogclient.jar from classpaths that do not require WebSphere eXtreme Scale client functionality.
# Example JVM serialization filter to reject CORBA stub deserialization
-Djdk.serialFilter="!com.ibm.ws.objectgrid.corba.**;!org.omg.**;!com.ibm.CORBA.**;maxdepth=20;maxrefs=500"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

