IBM warns of multiple Verify Access flaws that can expose sensitive data and bypass authentication
4 min. read 
Published on
IBM has released fixes for multiple vulnerabilities in IBM Verify Identity Access and IBM Security Verify Access, including bugs that can expose sensitive information, allow command execution, trigger SSRF, and in some cases let attackers bypass authentication. The affected product lines include IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1, along with their container deployments.
The most widely cited pair in the advisory is CVE-2026-2862 and CVE-2026-1491. IBM says both flaws stem from inconsistent interpretation of HTTP requests by a reverse proxy, which maps to HTTP request smuggling. Each carries a CVSS 5.3 score in IBM’s bulletin.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Those two issues matter because a remote attacker does not need credentials to exploit them. IBM says they could allow access to sensitive information through reverse proxy misinterpretation of HTTP traffic.
Higher-severity issues raise the risk further
The IBM bulletin also includes several more severe vulnerabilities than the two request-smuggling bugs. Among the highest-rated is CVE-2026-1188, a buffer overflow issue in the Eclipse OMR port library, with a CVSS 9.8 score listed in IBM’s advisory.
IBM also lists CVE-2026-1346, a container privilege escalation flaw rated 9.3, and CVE-2026-1342, a container issue rated 8.5 that could let a locally authenticated user execute malicious scripts from outside the intended control sphere. Another major issue, CVE-2026-4101, carries a CVSS 8.1 score and could allow authentication bypass under certain load conditions.
One of the most serious remotely reachable flaws in practical terms is CVE-2026-1345. IBM describes it as an OS command injection bug in IBM Security Verify Access Container that could let an unauthenticated user execute arbitrary commands with lower system privileges because of improper input validation.
Key vulnerabilities in the IBM advisory
| CVE | IBM description | CVSS |
|---|---|---|
| CVE-2026-2862 | Sensitive information exposure via reverse proxy HTTP request misinterpretation | 5.3 |
| CVE-2026-1491 | Sensitive information exposure via reverse proxy HTTP request misinterpretation | 5.3 |
| CVE-2026-1188 | Buffer overflow in Eclipse OMR port library | 9.8 |
| CVE-2026-1346 | Privilege escalation to root in container deployment | 9.3 |
| CVE-2026-1342 | Malicious script execution from outside control sphere | 8.5 |
| CVE-2026-4101 | Authentication bypass under certain load conditions | 8.1 |
| CVE-2026-1345 | OS command injection | 7.3 |
| CVE-2026-1343 | SSRF against internal authentication endpoints protected by reverse proxy | 7.2 |
All values above come from IBM’s published security bulletin.
Affected versions and patch guidance
IBM says the vulnerabilities affect IBM Verify Identity Access 11.0 through 11.0.2, IBM Security Verify Access 10.0 through 10.0.9.1, and the corresponding container versions for those branches. NVD mirrors the same affected ranges for CVE-2026-2862.
IBM’s fix guidance is direct. Customers should move to IBM Verify Identity Access 11.0.2 IF1 or IBM Security Verify Access 10.0.9.1 IF1. Container users should pull the latest updated images rather than rely on older cached deployments.
IBM also says there are no workarounds or mitigations listed for this bulletin. That makes patching the primary defensive action for exposed environments.
Why this bulletin matters
This advisory is not about one isolated bug. It covers multiple classes of weakness across the same identity and access stack, including information disclosure, SSRF, command injection, authentication bypass, and privilege escalation. For organizations that use Verify Access as part of their authentication or reverse proxy layer, the risk goes beyond a minor patch cycle.
The request-smuggling flaws alone can expose sensitive data to a remote attacker. When you add the authentication bypass and command injection issues on top, the overall exposure becomes more serious, especially in internet-facing deployments and containerized environments.
Admins should treat this as a broad hardening update, not just a single-CVE fix. The mix of severity ratings in IBM’s bulletin suggests both immediate external risk and meaningful post-compromise escalation risk inside affected environments.
What security teams should do now
- Identify any systems running IBM Verify Identity Access 11.0 to 11.0.2 or IBM Security Verify Access 10.0 to 10.0.9.1, including container deployments.
- Patch to IBM Verify Identity Access 11.0.2 IF1 or IBM Security Verify Access 10.0.9.1 IF1 as applicable.
- Pull the latest container images from IBM’s registry for container-based deployments.
- Review reverse proxy exposure and authentication logs for unusual requests, especially where internal endpoints sit behind proxy layers.
- Prioritize externally exposed systems first because several listed flaws are remotely reachable without authentication.
FAQ
Yes, several are. IBM says CVE-2026-2862, CVE-2026-1491, CVE-2026-1343, CVE-2026-1345, and CVE-2026-4101 can be triggered remotely, while others require local access or specific deployment conditions.
In this bulletin, CVE-2026-1188 has the highest listed score at 9.8. It affects the Eclipse OMR port library component referenced by IBM.
IBM’s bulletin lists no workarounds or mitigations. IBM urges customers to apply the fixes promptly.
IBM says customers should install IBM Verify Identity Access 11.0.2 IF1 or IBM Security Verify Access 10.0.9.1 IF1, depending on the product branch they use.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages