IBM Identity and Verify Access Vulnerabilities Could Expose Sensitive Data and Enable System Compromise

What happened

Multiple vulnerabilities in IBM Verify Identity Access and IBM Security Verify Access could allow attackers to access sensitive information, escalate privileges, execute commands, or disrupt affected systems. The issues affect versions 10.0 through 11.0.2, including related container deployments. Among the flaws are HTTP request smuggling issues tracked as CVE-2026-2862 and CVE-2026-1491, which can let a remote unauthenticated attacker exploit inconsistent reverse proxy handling to expose internal web traffic and bypass security checks. The update also addresses several higher-severity issues, including CVE-2026-1188, a critical buffer overflow flaw; CVE-2026-1346, which can let a locally authenticated user escalate privileges to root in the container; and CVE-2026-1345, an OS command injection vulnerability that can allow unauthenticated command execution. 

Who is affected

The direct exposure affects organizations using IBM Verify Identity Access and IBM Security Verify Access versions 10.0 through 11.0.2, including customers running container deployments. The bulletin also makes clear that container users need updated images in addition to standard software fixes. 

Why CISOs should care

This matters because the flaws span several high-impact attack paths across core identity and access infrastructure, including sensitive data exposure, root privilege escalation, command execution, authentication bypass under load, and denial of service. It also raises urgency because IBM said there are no official workarounds or mitigations available beyond applying the fixes. 

3 practical actions

1. Patch affected deployments immediately: Upgrade to IBM Verify Identity Access v11.0.2 IF1 or IBM Security Verify Access v10.0.9.1 IF1 as recommended by IBM. 
2. Update container environments separately: Pull the latest updated container images if you are running affected container deployments. 
3. Treat identity infrastructure as a priority remediation zone: Move these fixes to the front of the queue because the disclosed flaws affect systems that sit directly in authentication and access control workflows. 

For more news about security flaws that can expose sensitive data and compromise enterprise systems, click Vulnerability to read more.