External risk intelligence

IBM WebSphere Extreme Scale OQL Injection via ClassforName Enables Arbitrary Constructor Execution

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-13772

IBM WebSphere Extreme Scale is typically used as a backend data grid or caching layer within enterprise application architectures. While these components are often integrated into larger, potentially internet-facing applications, they are rarely exposed directly to the public internet and typically reside in internal network segments.

Ibm Websphere Extreme Scale

8.6.1.0 to 8.6.1.6

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in IBM WebSphere Extreme Scale, a component often used for data grids and caching in enterprise applications. The vulnerability could allow an authenticated attacker to execute arbitrary code on the server. The main concern is confirming the relevance and exposure of this technology within our environment.

  • Allows code execution via crafted queries.
  • Impacts core enterprise data services.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker who can influence an application-built Object Query Language (OQL) query string in IBM WebSphere Extreme Scale could potentially execute arbitrary code on the server. This is possible because the OQL engine resolves and instantiates attacker-supplied class names without restrictions. A specific variant of this attack, involving `SELECT DISTINCT` and planted grid values, can trigger a similar outcome after deserialization, even when serialization filters are in place, and can propagate across grid nodes.

  • Authenticated attacker influences OQL query.
  • Attacker-supplied class names are instantiated.
  • Arbitrary constructor execution on JVM.

Live Threat

Current exploitation, exposure, and threat context

An authenticated attacker could exploit the Object Query Language engine in IBM WebSphere Extreme Scale to execute arbitrary constructors on the Java Virtual Machine (JVM). This could occur when the attacker can influence an application-built OQL query string or use a `SELECT DISTINCT` variant with planted grid values, potentially leading to a compromise of the service's behavior.

  • Arbitrary code execution on the JVM.
  • Influencing OQL queries or using planted grid values.
  • Compromise of service behavior.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in IBM WebSphere Extreme Scale's Object Query Language engine impacts applications using this technology, likely requiring collaboration between application owners, platform teams, and security teams. The immediate first step is to inventory where WebSphere Extreme Scale is deployed, assess its exposure and criticality, and identify the accountable teams to plan remediation based on risk.

  • Application owners and platform teams should own.
  • Verify deployed instances and exposure.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM WebSphere Extreme Scale?

It is a high-performance, distributed data grid and caching platform designed for large-scale enterprise environments. It stores data in-memory to improve application speed and scalability by reducing the need to query traditional databases directly. As a middleware layer, it supports complex data management and OQL-based querying capabilities essential for maintaining performance under heavy, concurrent user loads.

How does CWE-470 apply to this vulnerability?

CWE-470, Use of Externally-Controlled Input to Select Classes or Code, occurs when software allows user input to determine which Java classes are loaded or instantiated. In this case, the Object Query Language engine fails to validate class names provided by users. Consequently, the application interprets these strings and invokes their constructors, allowing the selection and execution of unintended code via the JVM.

Can this vulnerability trigger without direct user input?

The vulnerability is not limited to direct, real-time query injection. It triggers when an authenticated attacker influences an application-built OQL query string. Furthermore, the issue can manifest through a SELECT DISTINCT variant using planted grid values. This mechanism operates post-deserialization and persists across grid node boundaries, bypassing standard JEP-290 serialization filters to execute constructors.

How relevant is this flaw to internal network security?

According to the Halo Surface Signal, this software typically functions as a backend data grid or caching layer. While often integrated into applications that may face the internet, the component itself usually resides within internal network segments, making direct external access less common but still a critical architectural concern.

How should teams respond to this critical advisory?

Teams should initiate a coordinated response by inventorying all instances of WebSphere Extreme Scale. Because this affects core data services, application owners and platform teams must collaborate to verify exposure levels. Focus on assessing the risk of each deployment to prioritize remediation efforts and determine the appropriate security configuration for the OQL engine.

References