IBM has issued an urgent security bulletin addressing a slew of vulnerabilities impacting IBM Verify Identity Access and IBM Security Verify Access.
These flaws span across critical dependencies and internal mechanisms, exposing organizations to risks ranging from remote data theft to complete system compromise.
Cybersecurity professionals and administrators must evaluate these threats immediately to secure their authentication infrastructure.
The most severe flaw identified is a critical buffer overflow vulnerability (CVE-2026-1188) with a CVSS score of 9.8.
Found within the Eclipse OMR port library component, an incorrectly sized buffer during processor feature processing could allow a remote attacker to execute arbitrary code or trigger a denial of service.
Another massive threat stems from a privilege escalation vulnerability (CVE-2026-1346, CVSS 9.3) within the IBM Security Verify Access Container.
Locally authenticated users can exploit this flaw due to unnecessary privilege execution, ultimately escalating their permissions to root access.
Additionally, a high-severity cryptography weakness (CVE-2023-46233, CVSS 9.1) affects the crypto-js library used by the products.
The software defaults to an outdated SHA1 algorithm and a single iteration for PBKDF2, making the encryption substantially weaker than modern industry standards.
This exposes password protections and generated signatures to preimage and collision attacks.
Authentication Bypass and Remote Access
Several high-severity flaws directly target the application’s core security controls:
- Authentication Bypass (CVE-2026-4101): Under specific load conditions, attackers can completely bypass authentication mechanisms to gain unauthorized application access.
- OS Command Injection (CVE-2026-1345): Improper validation allows unauthenticated users to execute arbitrary OS commands with lower privileges.
- Server-Side Request Forgery (CVE-2026-1343): Remote attackers can bypass the Reverse Proxy and directly contact internal authentication endpoints.
- HTTP Request Smuggling (CVE-2026-2862, CVE-2026-1491): Inconsistent interpretation of HTTP requests by the reverse proxy enables remote attackers to access highly sensitive information.
The bulletin also outlines multiple Java SE flaws (CVE-2026-21945, CVE-2026-21932) that permit remote attackers to consume uncontrolled resources, bypass security controls, and maliciously modify accessible data without authorization.
Administrators must also account for client-side attacks. Multiple Cross-Site Scripting (XSS) vulnerabilities (CVE-2025-12635, CVE-2026-4364) allow attackers to embed malicious JavaScript.
One such flaw tricks the browser into executing JSON payload scripts because of an incorrect text/html Content-Type response.
An Open Redirect vulnerability (CVE-2026-2475) also permits attackers to conduct sophisticated phishing campaigns by redirecting victims to arbitrary malicious websites using a specially crafted request.
Affected Products and Versions
The security flaws impact the following IBM product versions:
- IBM Verify Identity Access (Versions 11.0 to 11.0.2)
- IBM Verify Identity Access Container (Versions 11.0 to 11.0.2)
- IBM Security Verify Access (Versions 10.0 to 10.0.9.1)
- IBM Security Verify Access Container (Versions 10.0 to 10.0.9.1)
Organizations using the affected IBM Verify versions are urged to apply the latest security patches provided by IBM immediately.
For the crypto-js vulnerability, administrators should ensure the library is updated to version 4.2.0 or manually configure it to use SHA256 with at least 250,000 iterations.
Regular system monitoring and restricting access to internal authentication endpoints can also help mitigate potential unauthorized access while patches are being deployed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
