Plattform
ibm
Komponente
verify-identity-access
Behoben in
11.0.3
10.0.10
11.0.3
10.0.10
CVE-2026-1346 is a critical privilege escalation vulnerability discovered in IBM Verify Identity Access. This flaw allows a locally authenticated user to escalate their privileges to root, potentially granting them complete control over the system. The vulnerability impacts versions 10.0 through 11.0.2 of both the Container and non-Container deployments. IBM has released patches to address this issue.
Successful exploitation of CVE-2026-1346 grants an attacker root access to the affected system. This allows them to perform any action, including installing malware, accessing sensitive data, modifying system configurations, and potentially compromising other systems on the network. The blast radius is significant, as a compromised root account can be used to gain control of the entire infrastructure. This vulnerability is particularly concerning in environments where IBM Verify Identity Access is used for critical authentication and authorization services, as a successful attack could lead to widespread data breaches and service disruptions. The potential for lateral movement is high, as a root account can be used to pivot to other systems within the network.
CVE-2026-1346 was published on 2026-04-08 and carries a critical CVSS score of 9.3. The vulnerability is listed on KEV and has a high EPSS score, indicating a high probability of exploitation. No public exploits are currently known, but the critical severity warrants immediate attention. Refer to IBM's security advisory for detailed information and mitigation steps.
Organizations utilizing IBM Verify Identity Access in environments with local user authentication are at risk. This includes deployments with legacy configurations, shared hosting environments where multiple users have local access, and those relying on default or poorly configured access controls. Specifically, environments where local accounts have unnecessary privileges are particularly vulnerable.
• ibm / server:
# Check for vulnerable versions
grep -r '10.0\|11.0' /opt/IBM/VerifyIdentityAccess/bin/version.sh• linux / server:
# Audit user privileges and processes running with elevated permissions
sudo -u root ps aux | grep -i 'verifyidentityaccess'disclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade IBM Verify Identity Access to a patched version. Consult IBM's security advisory for the specific fixed version. If immediate upgrade is not possible, consider implementing stricter access controls to limit the privileges of locally authenticated users. Review and restrict the permissions granted to the application user. Implement intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious activity related to privilege escalation attempts. After upgrading, verify the fix by attempting to execute commands with a low-privileged user account and confirming that they are denied the necessary permissions.
Aplique las actualizaciones de seguridad proporcionadas por IBM para IBM Verify Identity Access Container y IBM Security Verify Access Container a las versiones corregidas disponibles en el sitio de soporte de IBM. Consulte la nota de soporte de IBM (https://www.ibm.com/support/pages/node/7268253) para obtener instrucciones detalladas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1346 is a critical vulnerability allowing a locally authenticated user to gain root privileges in IBM Verify Identity Access versions 10.0-11.0.2.
You are affected if you are running IBM Verify Identity Access versions 10.0 through 11.0.2 and have locally authenticated users.
Upgrade to a patched version of IBM Verify Identity Access as soon as possible. Refer to the official IBM security advisory for specific version details.
While no public exploits are currently known, the vulnerability has been added to the CISA KEV catalog, suggesting a potential for active exploitation.
Refer to the official IBM Security Bulletin for details: [https://www.ibm.com/support/kbdoc/firstdoc?docid=instance/sb129691](https://www.ibm.com/support/kbdoc/firstdoc?docid=instance/sb129691)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.