Platform
ibm
Component
verify-identity-access
Fixed in
11.0.3
10.0.10
11.0.3
10.0.10
CVE-2026-1346 is a critical privilege escalation vulnerability discovered in IBM Verify Identity Access. This flaw allows a locally authenticated user to escalate their privileges to root, potentially granting them complete control over the system. The vulnerability impacts versions 10.0 through 11.0.2 of both the Container and non-Container deployments. IBM has released patches to address this issue.
Successful exploitation of CVE-2026-1346 could have severe consequences. An attacker, already possessing valid local authentication credentials, could leverage this vulnerability to gain root access. This grants them unrestricted access to the underlying system, allowing them to modify system files, install malware, steal sensitive data, and compromise the entire environment. The blast radius extends to any data or services hosted on the affected system. This vulnerability shares similarities with other privilege escalation flaws where improper permission configurations are exploited to gain elevated access.
CVE-2026-1346 was publicly disclosed on 2026-04-08. Its severity is high due to the potential for root access. As of this writing, no public proof-of-concept exploits are known. The vulnerability has been added to the CISA KEV catalog, indicating a potential for active exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1346 is to upgrade to a patched version of IBM Verify Identity Access. IBM has released updates to address this vulnerability. If immediate patching is not feasible due to compatibility concerns or testing requirements, consider implementing stricter access controls to limit the privileges of locally authenticated users. Review and harden the system's configuration to minimize the potential impact of a successful exploit. After upgrade, confirm the fix by attempting to escalate privileges with a low-privileged user account and verifying that the escalation fails.
Apply the security updates provided by IBM for IBM Verify Identity Access Container and IBM Security Verify Access Container to the fixed versions available on the IBM support site. Refer to the IBM support note (https://www.ibm.com/support/pages/node/7268253) for detailed instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1346 is a critical vulnerability allowing a locally authenticated user to gain root privileges in IBM Verify Identity Access versions 10.0-11.0.2.
You are affected if you are running IBM Verify Identity Access versions 10.0 through 11.0.2 and have locally authenticated users.
Upgrade to a patched version of IBM Verify Identity Access as soon as possible. Refer to the official IBM security advisory for specific version details.
While no public exploits are currently known, the vulnerability has been added to the CISA KEV catalog, suggesting a potential for active exploitation.
Refer to the official IBM Security Bulletin for details: [https://www.ibm.com/support/kbdoc/firstdoc?docid=instance/sb129691](https://www.ibm.com/support/kbdoc/firstdoc?docid=instance/sb129691)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.