Skip to main content

IBM CVE-2026-1342

| EUVDEUVD-2026-19986 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-04-08 psirt@us.ibm.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 00:22 euvd
EUVD-2026-19986
Analysis Generated
Apr 08, 2026 - 00:22 vuln.today
CVE Published
Apr 08, 2026 - 00:16 nvd
HIGH 8.5

DescriptionCVE.org

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.

AnalysisAI

Local code execution in IBM Security Verify Access 10.0-10.0.9.1 and 11.0-11.0.2 (both container and non-container deployments) allows unauthenticated local attackers to execute malicious scripts from outside the application's control sphere. This CWE-829 inclusion of functionality from untrusted control sphere vulnerability achieves container escape (scope change to C in CVSS vector), enabling high confidentiality impact and limited integrity/availability impact. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and lack of required privileges (PR:N) make this readily exploitable by local users.

Technical ContextAI

This vulnerability affects IBM Security Verify Access and IBM Verify Identity Access products, which provide identity and access management capabilities including web application security and federation services. The CWE-829 classification indicates the application improperly includes or invokes functionality from an untrusted control sphere, allowing local attackers to inject and execute code outside the intended security boundary. The CVSS scope change metric (S:C) confirms this represents a container escape or privilege boundary violation, where successful exploitation breaks out of the application's intended sandboxed environment. Both containerized (Docker/Kubernetes deployments) and traditional installations are affected across versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2, suggesting a design flaw in how the application validates or restricts external code inclusion rather than a simple implementation bug.

RemediationAI

Apply vendor-released patches as detailed in IBM's security bulletin at https://www.ibm.com/support/pages/node/7268253. Organizations should upgrade affected IBM Security Verify Access and IBM Verify Identity Access installations to patched versions that address the CWE-829 untrusted control sphere issue. Exact fix versions not independently confirmed from available data, consult the IBM advisory for specific upgrade paths for both containerized and traditional deployments. As an interim mitigation, restrict local system access to IBM Verify Access infrastructure and implement additional container runtime security controls to detect and prevent container escape attempts, though these workarounds do not eliminate the underlying vulnerability.

Share

CVE-2026-1342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy