A critical security bulletin highlights multiple vulnerabilities in Verify Identity Access and Security Verify Access products.
If left unpatched, these widespread security flaws could allow malicious actors to access sensitive information, escalate their system privileges, or cause a complete denial-of-service of the application.
Organizations relying on these authentication platforms must take immediate action to patch their infrastructure. A standout issue in the latest security advisory revolves around how the platform handles web traffic.
Tracked as CVE-2026-2862 and CVE-2026-1491, these HTTP request smuggling flaws arise from inconsistent reverse proxy handling and carry a CVSS score of 5.3.
By exploiting this vulnerability, a remote, unauthenticated attacker can trick the proxy server into exposing internal web traffic.
Ultimately, this inconsistency allows the attacker to silently bypass security checks and gain unauthorized access to highly sensitive user data.
Critical and High-Severity Flaws
The security update also patches several other severe vulnerabilities that system administrators must prioritize:
Because the system fails to correctly calculate buffer sizes when reading processor features, an attacker can trigger a memory overflow that could lead to complete system compromise.
- CVE-2026-1346 (CVSS 9.3): A severe flaw in the Security Verify Access Container that allows a locally authenticated user to escalate their system privileges directly to root.
- CVE-2023-46233 (CVSS 9.1): A major weakness was found in the crypto-js library. The library defaults to SHA-1, an outdated and insecure hashing algorithm, and uses only a single iteration to set password difficulty. This severely weakens password and signature protections against brute-force attacks.
- CVE-2026-1342 (CVSS 8.5): A vulnerability in the Container platform that lets locally authenticated users execute malicious scripts from an untrusted control sphere.
- CVE-2026-4101 (CVSS 8.1): Under certain heavy load conditions, remote attackers could bypass existing authentication mechanisms and gain unauthorized entry into the application.
- CVE-2026-1345 (CVSS 7.3): An OS command injection vulnerability allowing unauthenticated users to execute arbitrary commands due to improper input validation.
The bulletin also addresses CVE-2026-1343 (Server-Side Request Forgery), CVE-2025-12635 (Cross-Site Scripting), and several Java SE resource consumption vulnerabilities.
These security flaws impact IBM Verify Identity Access and IBM Security Verify Access versions 10.0 through 11.0.2, including their respective Container deployments.
Because there are no official workarounds or mitigations available to stop these attacks, IBM strongly encourages customers to apply the software fixes immediately.
System administrators should download and install IBM Verify Identity Access v11.0.2 IF1 or IBM Security Verify Access v10.0.9.1 IF1 from the official support portal.
Container users must pull the latest updated images from the container registry to ensure their environments remain secure against external threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
