CVE-2026-2475 - Vulnerability Details

- Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access

Description

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites.

Published: 2026-04-01

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An open redirect flaw in IBM Verify Identity Access and IBM Security Verify Access allows a remote attacker to craft a request that redirects a user to an arbitrary website. This can be exploited to create convincing phishing pages, potentially leading a victim to divulge sensitive credentials or personal information. The vulnerability does not provide direct code execution or data disclosure, but the impact lies in facilitating credential theft and social engineering attacks.

Affected Systems

IBM Verify Identity Access versions 11.0 through 11.0.2 and IBM Security Verify Access versions 10.0 through 10.0.9.1, including their corresponding container editions, are affected. The specific affected releases are Verify Identity Access 11.0, 11.0.2 and Security Verify Access 10.0, 10.0.9.1.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity. EPSS is below 1%, signifying a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending a specially crafted HTTP request; the victim must click a link to trigger the redirect, so social engineering is a prerequisite.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Verify Identity Access Container

affected

Version	Status	Constraints
`11.0`	affected	≤ 11.0.2

IBM

Security Verify Access Container

affected

Version	Status	Constraints
`10.0`	affected	≤ 10.0.9.1

IBM

Verify Identity Access

affected

Version	Status	Constraints
`11.0`	affected	≤ 11.0.2

IBM

Security Verify Access

affected

Version	Status	Constraints
`10.0`	affected	≤ 10.0.9.1

Configuration 1 [-]

OR	cpe:2.3:a:ibm:security_verify_access::::::::
	cpe:2.3:a:ibm:security_verify_access_container::::::::
	cpe:2.3:a:ibm:verify_identity_access::::::::
	cpe:2.3:a:ibm:verify_identity_access_container::::::::

No data.

Vendor Product Confidence Versions

Ibm

Security Verify Access

95%

Version	Status	Scheme	Platform
`[10.0,10.0.9.1]`	affected	generic	—

Ibm

Security Verify Access Container

100%

Version	Status	Scheme	Platform
`[10.0,10.0.9.1]`	affected	generic	—

Ibm

Verify Identity Access

95%

Version	Status	Scheme	Platform
`[11.0,11.0.2]`	affected	generic	—

Ibm

Verify Identity Access Container

100%

Version	Status	Scheme	Platform
`[11.0,11.0.2]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM encourages customers to update their systems promptly. Appliance: Affected Products and Versions Fix availability IBM Verify Identity Access 11.0 - 11.0.2 Download IBM Verify Identity Access v11.0.2 IF1 https://www.ibm.com/support/fixcentral/quickorder IBM Security Verify Access 10.0 - 10.0.9.1 Download IBM Security Verify Access v10.0.9.1 IF1 https://www.ibm.com/support/fixcentral/quickorder

OpenCVE Recommended Actions

Download and install IBM Verify Identity Access v11.0.2 IF1 patch from IBM Fix Central.
Download and install IBM Security Verify Access v10.0.9.1 IF1 patch from IBM Fix Central.
Verify configuration to ensure no open redirect paths remain.
Monitor logs for unusual redirect activity and user reports of phishing attempts.

Generated by OpenCVE AI on April 7, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.ibm.com/support/pages/node/7268253

History

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:ibm:security_verify_access:::::::: cpe:2.3:a:ibm:security_verify_access_container:::::::: cpe:2.3:a:ibm:verify_identity_access:::::::: cpe:2.3:a:ibm:verify_identity_access_container::::::::

Thu, 02 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites.
Title		Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access
First Time appeared		Ibm Ibm security Verify Access Ibm security Verify Access Container Ibm verify Identity Access Ibm verify Identity Access Container
Weaknesses		CWE-601
CPEs		cpe:2.3:a:ibm:security_verify_access:10.0.0:::::::* cpe:2.3:a:ibm:security_verify_access:10.0.9.1:::::::* cpe:2.3:a:ibm:security_verify_access:10.0:::::::* cpe:2.3:a:ibm:security_verify_access_container:10.0.0:::::::* cpe:2.3:a:ibm:security_verify_access_container:10.0.9.1:::::::* cpe:2.3:a:ibm:security_verify_access_container:10.0:::::::* cpe:2.3:a:ibm:verify_identity_access:11.0.0:::::::* cpe:2.3:a:ibm:verify_identity_access:11.0.2:::::::* cpe:2.3:a:ibm:verify_identity_access:11.0:::::::* cpe:2.3:a:ibm:verify_identity_access_container:11.0.0:::::::* cpe:2.3:a:ibm:verify_identity_access_container:11.0.2:::::::* cpe:2.3:a:ibm:verify_identity_access_container:11.0:::::::*
Vendors & Products		Ibm Ibm security Verify Access Ibm security Verify Access Container Ibm verify Identity Access Ibm verify Identity Access Container
References		https://www.ibm.com/support/pages/node/7268253
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Ibm Security Verify Access Security Verify Access Container Verify Identity Access Verify Identity Access Container

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-04-01T20:56:21.887Z

Updated: 2026-04-02T13:33:36.265Z

Reserved: 2026-02-13T15:48:57.782Z

Link: CVE-2026-2475

Vulnrichment

Updated: 2026-04-02T13:29:43.931Z

NVD

Status : Analyzed

Published: 2026-04-01T21:16:58.860

Modified: 2026-04-07T16:31:56.127

Link: CVE-2026-2475

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:56:47Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object