Description
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy.
Published: 2026-04-08
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Network Access
Action: Immediate Patch
AI Analysis

Impact

An admission control flaw in IBM Verify Identity Access and IBM Security Verify Access, both in appliance and container form, permits an attacker to send requests to internal authentication endpoints that are normally shielded by a reverse proxy. This flaw is a form of server‑side request forgery; by exploiting it an attacker can reach resources inside the protected network, potentially revealing or manipulating authentication data or other sensitive services. The impact is the ability to bypass an access control gateway and expose internal endpoints.

Affected Systems

IBM Verify Identity Access versions 11.0 through 11.0.2 and IBM Security Verify Access versions 10.0 through 10.0.9.1, including their containerized equivalents. Updated appliance releases are 11.0.2 and 10.0.9.1, while the container images are provided via the IBM Verify documentation portal.

Risk and Exploitability

The CVSS base score of 7.2 indicates a moderate‑to‑high severity vulnerability, though the EPSS score of less than 1% suggests exploitation is currently uncommon. The flaw is not listed in the CISA KEV catalog, implying limited exploitation in the wild. An attacker would need network access to the affected systems and the ability to craft requests that target the reverse‑proxied internal endpoints; no additional pre‑authentication is mentioned, so the attack vector is inferred to be remote network access.

Generated by OpenCVE AI on April 9, 2026 at 19:24 UTC.

Remediation

Vendor Solution

IBM encourages customers to update their systems promptly. Appliance:  Affected Products and Versions Fix availability IBM Verify Identity Access 11.0 - 11.0.2 Download IBM Verify Identity Access v11.0.2 IF1 https://www.ibm.com/support/fixcentral/quickorder IBM Security Verify Access 10.0 - 10.0.9.1 Download IBM Security Verify Access v10.0.9.1 IF1 https://www.ibm.com/support/fixcentral/quickorder Container: Container Download https://docs.verify.ibm.com/ibm-security-verify-access/docs/containers

OpenCVE Recommended Actions

  • Update IBM Verify Identity Access to v11.0.2 IF1 and IBM Security Verify Access to v10.0.9.1 IF1 as provided by IBM
  • Replace the affected container images with the latest ones from the IBM Verify documentation portal
  • Validate that the reverse proxy configuration blocks unintended internal endpoints and mitigate SSRF through strict request validation
  • Monitor system logs for suspicious outbound requests to internal authentication services

Generated by OpenCVE AI on April 9, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:security_verify_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy.
Title Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access
First Time appeared Ibm
Ibm security Verify Access
Ibm security Verify Access Container
Ibm verify Identity Access
Ibm verify Identity Access Container
Weaknesses CWE-918
CPEs cpe:2.3:a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access:10.0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access:10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm security Verify Access
Ibm security Verify Access Container
Ibm verify Identity Access
Ibm verify Identity Access Container
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ibm Security Verify Access Security Verify Access Container Verify Identity Access Verify Identity Access Container
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-08T16:14:21.901Z

Reserved: 2026-01-22T15:42:45.227Z

Link: CVE-2026-1343

cve-icon Vulnrichment

Updated: 2026-04-08T15:44:10.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T01:16:40.503

Modified: 2026-04-09T18:27:45.447

Link: CVE-2026-1343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:06Z

Weaknesses