Critical IBM Security Verify Access Flaws Expose Sensitive Data
Key Takeaways Multiple critical and high-severity vulnerabilities have been discovered in IBM Verify Identity Access and IBM Security Verify Access products. These flaws could lead to sensitive data...
Key Takeaways
- Multiple critical and high-severity vulnerabilities have been discovered in IBM Verify Identity Access and IBM Security Verify Access products.
- These flaws could lead to sensitive data exposure, privilege escalation, and denial-of-service attacks.
- Affected versions range from 10.0 through 11.0.2, including container deployments.
- IBM has released patches, and immediate application is strongly recommended as no workarounds exist.
A recent security bulletin from IBM has revealed a series of critical vulnerabilities impacting its Verify Identity Access and Security Verify Access products. These security weaknesses, if left unaddressed, pose significant risks, potentially allowing unauthorized access to sensitive information, elevation of system privileges, or complete disruption of application services.
Table Of Content
- Key Takeaways
- HTTP Request Smuggling and Data Exposure
- Critical and High-Severity Flaws
- CVE-2026-1188 (CVSS 9.8): Critical Buffer Overflow
- CVE-2026-1346 (CVSS 9.3): Privilege Escalation
- CVE-2023-46233 (CVSS 9.1): Weak Cryptographic Protection
- CVE-2026-1342 (CVSS 8.5): Arbitrary Script Execution
- CVE-2026-4101 (CVSS 8.1): Authentication Bypass
- CVE-2026-1345 (CVSS 7.3): OS Command Injection
- What You Should Do
Organizations that rely on these IBM authentication platforms are urged to implement the provided patches without delay. A prominent concern highlighted in the advisory involves how the platforms process web traffic.
HTTP Request Smuggling and Data Exposure
Among the critical issues are HTTP request smuggling vulnerabilities, identified as CVE-2026-2862 and CVE-2026-1491. These flaws stem from inconsistent handling by the reverse proxy and carry a CVSS score of 5.3. Exploiting these vulnerabilities allows an unauthenticated attacker, operating remotely, to manipulate the proxy server into revealing internal web traffic. This inconsistency ultimately enables attackers to bypass security checks surreptitiously and gain unauthorized access to highly sensitive user data.
Critical and High-Severity Flaws
Beyond the HTTP request smuggling issues, the security update addresses several other severe vulnerabilities that system administrators must prioritize for patching:
-
CVE-2026-1188 (CVSS 9.8): Critical Buffer Overflow
This critical buffer overflow flaw resides in the Eclipse OMR port library. The vulnerability arises because the system inaccurately calculates buffer sizes when reading processor features, which an attacker can exploit to trigger a memory overflow, potentially leading to a complete system compromise.
-
CVE-2026-1346 (CVSS 9.3): Privilege Escalation
A severe flaw in the Security Verify Access Container permits a locally authenticated user to escalate their system privileges directly to root, granting them full control over the affected system.
-
CVE-2023-46233 (CVSS 9.1): Weak Cryptographic Protection
A significant weakness was identified in the crypto-js library. This library’s default configuration uses SHA-1, an outdated and insecure hashing algorithm, and employs only a single iteration for setting password difficulty. This significantly weakens the protection of passwords and signatures against brute-force attacks.
-
CVE-2026-1342 (CVSS 8.5): Arbitrary Script Execution
This vulnerability in the Container platform allows locally authenticated users to execute malicious scripts from an untrusted control sphere, bypassing intended security boundaries.
-
CVE-2026-4101 (CVSS 8.1): Authentication Bypass
Under specific heavy load conditions, remote attackers could bypass existing authentication mechanisms, thereby gaining unauthorized entry into the application.
-
CVE-2026-1345 (CVSS 7.3): OS Command Injection
An OS command injection vulnerability exists, enabling unauthenticated users to execute arbitrary commands due to improper input validation.
The bulletin also addresses CVE-2026-1343 (Server-Side Request Forgery), CVE-2025-12635 (Cross-Site Scripting), and several Java SE resource consumption vulnerabilities.
These security flaws affect IBM Verify Identity Access and IBM Security Verify Access versions 10.0 through 11.0.2, including their respective Container deployments. IBM has emphasized that no official workarounds or mitigations are available to prevent these attacks, thus strongly encouraging customers to apply the software fixes immediately.
What You Should Do
- System administrators should download and install IBM Verify Identity Access v11.0.2 IF1 or IBM Security Verify Access v10.0.9.1 IF1 from the official IBM support portal.
- For Container users, it is imperative to pull the latest updated images from the container registry to ensure their environments are secured against these newly disclosed threats.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.