IBM Security Verify Access Vulnerabilities Allow Remote Attackers to Access Sensitive Data

IBM has issued an urgent security advisory warning of multiple vulnerabilities in its Verify Identity Access and Security Verify Access products that could allow attackers to steal sensitive data or fully compromise systems.

The vulnerabilities affect both software and container deployments, creating serious risks for organizations relying on IBM’s authentication and access management platforms.

Security experts are urging immediate action, as several of the flaws are rated critical.

The most severe issue, tracked as CVE-2026-1188 with a CVSS score of 9.8, is a buffer overflow vulnerability in the Eclipse OMR component.

This flaw allows remote attackers to execute arbitrary code or crash systems by exploiting improper memory handling during processor feature processing.

Another critical vulnerability, CVE-2026-1346 (CVSS 9.3), enables privilege escalation within IBM Security Verify Access containers.

Attackers with local access can exploit this flaw to gain root privileges due to improper execution controls.

IBM also highlighted a serious cryptographic weakness (CVE-2023-46233, CVSS 9.1) in the widely used crypto-js library.

The library defaults to outdated SHA-1 hashing and weak PBKDF2 configurations, making password protections vulnerable to collision and preimage attacks.

Several high-severity flaws directly impact authentication and access controls. CVE-2026-4101 allows authentication bypass under certain system load conditions, enabling attackers to gain unauthorized access.

CVE-2026-1345 exposes an OS command injection flaw that allows unauthenticated users to execute system-level commands.

Additionally, CVE-2026-1343 is a server-side request forgery (SSRF) vulnerability that lets attackers bypass reverse proxies and interact directly with internal authentication services.

Two HTTP request smuggling issues (CVE-2026-2862 and CVE-2026-1491) further increase the risk by enabling unauthorized access to sensitive data through request parsing inconsistencies.

The advisory also includes Java SE vulnerabilities that can lead to resource exhaustion, data manipulation, and security bypass.

On the client side, multiple cross-site scripting (XSS) flaws could allow attackers to inject malicious scripts into user sessions.

One issue involves improper content-type handling that causes browsers to execute malicious JSON payloads as scripts.

An open redirect vulnerability (CVE-2026-2475) could also be exploited in phishing campaigns, redirecting users to attacker-controlled websites.

The vulnerabilities impact IBM Verify Identity Access versions 11.0 to 11.0.2 and IBM Security Verify Access versions 10.0 to 10.0.9.1, including their containerized deployments.

IBM strongly recommends applying the latest security patches immediately. Administrators should also update crypto-js to version 4.2.0 or configure stronger hashing algorithms, such as SHA-256, with increased iteration counts.

Additional mitigation steps include restricting access to internal authentication endpoints and monitoring systems for suspicious activity.

Given the critical role of identity and access management systems, delaying patching could expose organizations to severe data breaches and operational disruption.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post IBM Security Verify Access Vulnerabilities Allow Remote Attackers to Access Sensitive Data appeared first on Cyber Security News.