Critical Vulnerabilities in IBM Identity and Access Management Systems Demand Immediate Attention
IBM has recently disclosed multiple critical vulnerabilities within its Verify Identity Access and Security Verify Access products, posing significant risks to organizations that rely on these systems for authentication and access management. If left unaddressed, these flaws could enable malicious actors to access sensitive information, escalate privileges, or disrupt services entirely.
Key Vulnerabilities Identified:
1. HTTP Request Smuggling Flaws (CVE-2026-2862 and CVE-2026-1491): These vulnerabilities, each assigned a CVSS score of 5.3, stem from inconsistent handling of reverse proxy requests. Exploitation could allow remote, unauthenticated attackers to manipulate proxy servers, potentially exposing internal web traffic and bypassing security measures to access sensitive user data.
2. Buffer Overflow in Eclipse OMR Port Library (CVE-2026-1188): With a critical CVSS score of 9.8, this flaw arises from improper buffer size calculations when reading processor features. Attackers could exploit this to trigger memory overflows, leading to complete system compromise.
3. Privilege Escalation in Security Verify Access Container (CVE-2026-1346): This severe vulnerability, rated at 9.3 on the CVSS scale, allows locally authenticated users to escalate their privileges to root due to the application executing with excessive privileges.
4. Weakness in Crypto-js Library (CVE-2023-46233): Assigned a CVSS score of 9.1, this issue involves the use of the outdated SHA-1 hashing algorithm with minimal iterations, significantly weakening password and signature protections against brute-force attacks.
5. Script Execution from Untrusted Control Sphere (CVE-2026-1342): With a CVSS score of 8.5, this vulnerability allows locally authenticated users to execute malicious scripts from an untrusted control sphere within the Container platform.
6. Authentication Bypass Under Load Conditions (CVE-2026-4101): Rated at 8.1 on the CVSS scale, this flaw enables remote attackers to bypass authentication mechanisms under specific load conditions, granting unauthorized access to the application.
7. OS Command Injection (CVE-2026-1345): This vulnerability, with a CVSS score of 7.3, allows unauthenticated users to execute arbitrary commands due to improper input validation.
Additional vulnerabilities addressed include server-side request forgery (CVE-2026-1343), cross-site scripting (CVE-2025-12635), and several Java SE resource consumption issues.
Affected Products and Versions:
– IBM Verify Identity Access: Versions 11.0 through 11.0.2
– IBM Security Verify Access: Versions 10.0 through 10.0.9.1
– IBM Verify Identity Access Container: Versions 11.0 through 11.0.2
– IBM Security Verify Access Container: Versions 10.0 through 10.0.9.1
Recommended Actions:
IBM strongly advises all customers to promptly update their systems to mitigate these vulnerabilities. There are no official workarounds or mitigations available; therefore, applying the provided software fixes is essential.
– For Appliance Users:
– IBM Verify Identity Access: Upgrade to version 11.0.2 IF1
– IBM Security Verify Access: Upgrade to version 10.0.9.1 IF1
– For Container Users: Pull the latest updated images from the container registry to ensure environments are secure against external threats.
Conclusion:
The identified vulnerabilities in IBM’s identity and access management products present significant security risks. Organizations must act swiftly to apply the necessary updates and protect their systems from potential exploitation. Regular monitoring and timely patching are crucial components of a robust cybersecurity strategy.
