Critical Security Update: IBM Patches Multiple Vulnerabilities in Verify Identity and Access
Do Son 
IBM Verify Identity Access | Image: IBM
IBM has released a comprehensive bulletin addressing a series of vulnerabilities within its Verify Identity Access and Security Verify Access product lines. The flaws range from low-impact redirection issues to critical privilege escalation risks that could allow attackers to seize complete control of a system.
Two major vulnerabilities stand out due to their high severity scores:
- Root Privilege Escalation (CVE-2026-1346): With a CVSS score of 9.3, this is the most severe flaw in the report. In the IBM Security Verify Access Container, a locally authenticated user can escalate their privileges to root because the application executes with more privileges than necessary.
- Authentication Bypass (CVE-2026-4101): Rated at 8.1, this vulnerability allows an attacker to bypass authentication mechanisms entirely under specific load conditions. This could result in unauthorized access to sensitive application data and functions.
The advisory covers several other attack vectors that demonstrate the complexity of modern identity management security:
| CVE ID | Severity | Threat Type | Impact |
| CVE-2026-1342 | 8.5 | Script Inclusion |
Locally authenticated users can execute malicious scripts outside the control sphere. |
| CVE-2026-1345 | 7.3 | OS Command Injection |
Unauthenticated users can execute arbitrary commands with lower-level privileges. |
| CVE-2026-1343 | 7.2 | SSRF |
Attackers can contact internal authentication endpoints protected by the Reverse Proxy. |
| CVE-2026-4364 | 5.4 | XSS |
Improper MIME types (JSON delivered as HTML) can lead to JavaScript injection in browsers. |
| CVE-2026-2862 | 5.3 | HTTP Smuggling |
Inconsistent interpretation of HTTP requests allows access to sensitive info via reverse proxy. |
The vulnerabilities impact both the appliance-based and containerized versions of the following products:
-
IBM Verify Identity Access: Versions 11.0 through 11.0.2.
-
IBM Security Verify Access: Versions 10.0 through 10.0.9.1.
IBM encourages all customers to update their systems promptly to mitigate these risks. The following fixes are currently available for download:
-
For Verify Identity Access 11.x: Upgrade to v11.0.2 IF1.
-
For Security Verify Access 10.x: Upgrade to v10.0.9.1 IF1.
Administrators should prioritize the v10.0.9.1 IF1 and v11.0.2 IF1 updates, particularly those utilizing containerized deployments where the privilege escalation and script execution risks are most prevalent.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
