Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.
AnalysisAI
Local code execution in IBM Security Verify Access 10.0-10.0.9.1 and 11.0-11.0.2 (both container and non-container deployments) allows unauthenticated local attackers to execute malicious scripts from outside the application's control sphere. This CWE-829 inclusion of functionality from untrusted control sphere vulnerability achieves container escape (scope change to C in CVSS vector), enabling high confidentiality impact and limited integrity/availability impact. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and lack of required privileges (PR:N) make this readily exploitable by local users.
Technical ContextAI
This vulnerability affects IBM Security Verify Access and IBM Verify Identity Access products, which provide identity and access management capabilities including web application security and federation services. The CWE-829 classification indicates the application improperly includes or invokes functionality from an untrusted control sphere, allowing local attackers to inject and execute code outside the intended security boundary. The CVSS scope change metric (S:C) confirms this represents a container escape or privilege boundary violation, where successful exploitation breaks out of the application's intended sandboxed environment. Both containerized (Docker/Kubernetes deployments) and traditional installations are affected across versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2, suggesting a design flaw in how the application validates or restricts external code inclusion rather than a simple implementation bug.
RemediationAI
Apply vendor-released patches as detailed in IBM's security bulletin at https://www.ibm.com/support/pages/node/7268253. Organizations should upgrade affected IBM Security Verify Access and IBM Verify Identity Access installations to patched versions that address the CWE-829 untrusted control sphere issue. Exact fix versions not independently confirmed from available data, consult the IBM advisory for specific upgrade paths for both containerized and traditional deployments. As an interim mitigation, restrict local system access to IBM Verify Access infrastructure and implement additional container runtime security controls to detect and prevent container escape attempts, though these workarounds do not eliminate the underlying vulnerability.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19986