Description
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure
Action: Patch now
AI Analysis

Impact

IBM Verify Identity Access and IBM Security Verify Access versions 11.0 and 10.0 respectively can allow a remote attacker to read sensitive information. The vulnerability arises from an inconsistent interpretation of an HTTP request by a reverse proxy, enabling the attacker to bypass proper request validation and gain unauthorized access to protected data. This is a confidentiality breach as the attacker may obtain data that should remain private. The weakness is classified as CWE‑444, which involves inadequate or inconsistent validation of input data, in this case the HTTP host header.

Affected Systems

IBM Verify Identity Access Container 11.0 through 11.0.2, IBM Verify Identity Access 11.0 through 11.0.2, IBM Security Verify Access Container 10.0 through 10.0.9.1, and IBM Security Verify Access 10.0 through 10.0.9.1. These include both standalone and container deployments, with the affected versions specifically listed as 11.0.0 to 11.0.2 for Verify Identity Access and 10.0.0 to 10.0.9.1 for Security Verify Access.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity impact. EPSS is less than 1%, suggesting a low likelihood of exploitation at the time of disclosure. The issue is not listed in CISA’s KEV catalog. Attackers would need to send specially crafted HTTP requests that the reverse proxy misprocesses, likely from an external network. The absence of a known exploit does not eliminate the risk; however, the exploitability is limited by the need to target the specific reverse proxy configuration used by the affected IBM products.

Generated by OpenCVE AI on April 7, 2026 at 23:06 UTC.

Remediation

Vendor Solution

Affected Products and Versions Fix availability IBM Verify Identity Access 11.0 - 11.0.2 Download IBM Verify Identity Access v11.0.2 IF1 https://www.ibm.com/support/fixcentral/quickorder IBM Security Verify Access 10.0 - 10.0.9.1 Download IBM Security Verify Access v10.0.9.1 IF1 https://www.ibm.com/support/fixcentral/quickorder

OpenCVE Recommended Actions

  • Download and install IBM Verify Identity Access v11.0.2 IF1 from IBM Fix Central
  • Download and install IBM Security Verify Access v10.0.9.1 IF1 from IBM Fix Central
  • Verify that the reverse proxy enforces strict Host header validation or apply the service patch if unavailable
  • If the patch cannot be applied immediately, isolate the affected services or restrict external access to the reverse proxy until upgraded

Generated by OpenCVE AI on April 7, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:security_verify_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.
Title Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access
First Time appeared Ibm
Ibm security Verify Access
Ibm security Verify Access Container
Ibm verify Identity Access
Ibm verify Identity Access Container
Weaknesses CWE-444
CPEs cpe:2.3:a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access:10.0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access:10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:security_verify_access_container:10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access:11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:verify_identity_access_container:11.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm security Verify Access
Ibm security Verify Access Container
Ibm verify Identity Access
Ibm verify Identity Access Container
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ibm Security Verify Access Security Verify Access Container Verify Identity Access Verify Identity Access Container
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T14:00:43.189Z

Reserved: 2026-02-20T14:15:32.610Z

Link: CVE-2026-2862

cve-icon Vulnrichment

Updated: 2026-04-02T14:00:39.957Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:59.060

Modified: 2026-04-07T16:32:33.990

Link: CVE-2026-2862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:54Z

Weaknesses