CVE-2026-13773
MediumCVSS 6.0Exploitation Probability (EPSS)
High risk87th percentile — higher than 87% of all known CVEs
Summary
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 contains approximately 50 generated CORBA stub classes in ogclient.jar that call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization. This turns any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host.
Risk Assessment
The risk is that an attacker can chain this SSRF with the IBM ORB getUserException class-instantiation flaw to achieve remote code execution on the calling JVM, leading to full server compromise and potential data breach.
Recommendation
Immediately upgrade IBM WebSphere Extreme Scale to version 8.6.1.7 or later, implement deserialization filtering for ObjectInputStream in WAS applications, and restrict IIOP traffic to trusted hosts.
Original NVD description (English source)
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into outbound IIOP SSRF to an attacker-chosen host; when chained with the IBM ORB's getUserException class-instantiation flaw (WAS-26), this SSRF escalates to remote code execution on the calling JVM.

