IBM has issued a critical security bulletin alerting users to multiple vulnerabilities within its Verify Identity Access and Security Verify Access products. These vulnerabilities, if not immediately addressed, could pose significant risks, allowing unauthorized access to sensitive data and potentially leading to a denial-of-service attack.
Urgent Need for Security Patches
Organizations utilizing these authentication platforms are urged to take swift action to apply necessary patches to their systems. The bulletin emphasizes a critical flaw concerning the handling of web traffic, which is particularly concerning. This flaw, tracked as CVE-2026-2862 and CVE-2026-1491, is linked to HTTP request smuggling due to inconsistent reverse proxy handling, with a CVSS score of 5.3.
The vulnerability allows a remote, unauthenticated attacker to manipulate proxy servers, thereby bypassing security measures and gaining unauthorized access to critical user data. This exposes organizations to severe security breaches if left unresolved.
High-Severity Security Risks
In addition to the web traffic issue, IBM’s update addresses several other significant vulnerabilities that demand immediate attention from system administrators. Notably, an error in calculating buffer sizes during processor feature reading can lead to memory overflow, risking full system compromise.
Among these, CVE-2026-1346, a flaw with a CVSS score of 9.3, allows locally authenticated users to escalate their privileges to root. Similarly, CVE-2023-46233 exposes weaknesses in the crypto-js library’s use of the outdated SHA-1 algorithm, compromising password and signature protections against brute-force attacks.
Impact and Recommendations
The vulnerabilities impact IBM Verify Identity Access and IBM Security Verify Access versions 10.0 through 11.0.2, including their Container deployments. IBM strongly advises customers to implement the available software fixes promptly, as no official workarounds are available.
System administrators should download and install the latest patches, specifically IBM Verify Identity Access v11.0.2 IF1 or IBM Security Verify Access v10.0.9.1 IF1, from IBM’s support portal. For Container users, pulling updated images from the container registry is essential to safeguard their environments against potential threats.
Staying updated with the latest security developments is crucial. Follow us on Google News, LinkedIn, and X for regular cybersecurity updates and insights. For further assistance or to share your cybersecurity stories, please contact us.
