Skip to main content

IBM CVE-2026-1343

| EUVDEUVD-2026-19998 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 ibm GHSA-249q-vrhp-j59w
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 01:00 euvd
EUVD-2026-19998
Analysis Generated
Apr 08, 2026 - 01:00 vuln.today
Patch released
Apr 08, 2026 - 01:00 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:10 nvd
HIGH 7.2

DescriptionCVE.org

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy.

AnalysisAI

Server-Side Request Forgery (SSRF) in IBM Verify Identity Access and Security Verify Access products (versions 10.0-11.0.2) allows unauthenticated remote attackers to contact internal authentication endpoints that should be protected by the Reverse Proxy component. This bypass enables attackers to interact with restricted internal services, potentially leading to unauthorized information disclosure and limited integrity impact. EPSS data not provided, but CVSS 7.2 (High) with network-accessible, low-complexity attack vector indicates moderate real-world risk. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Technical ContextAI

This vulnerability represents a Server-Side Request Forgery (CWE-918) flaw in IBM's identity and access management product suite. The affected products - IBM Verify Identity Access Container, IBM Security Verify Access Container, IBM Verify Identity Access, and IBM Security Verify Access - implement a Reverse Proxy architecture designed to protect internal authentication endpoints from external access. The SSRF weakness allows attackers to craft requests that bypass these reverse proxy protections, forcing the server to make unintended requests to internal authentication services. The CVSS vector (S:C - Scope Changed) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, suggesting attackers can pivot from the reverse proxy layer to reach backend authentication infrastructure. This architectural bypass undermines the security boundary separation that the reverse proxy is meant to enforce, creating a trust boundary violation between external-facing and internal authentication systems.

RemediationAI

Organizations should apply vendor-released patches immediately according to IBM Security Bulletin 7268253 available at https://www.ibm.com/support/pages/node/7268253. The advisory confirms patch availability from IBM for all affected product versions, though exact fixed version numbers are not specified in the provided intelligence data. Administrators should review the official bulletin for precise upgrade paths and patched release versions for their specific deployment (containerized versus traditional installations, version 10.x versus 11.x branches). As a defense-in-depth measure while patching is in progress, organizations should implement network segmentation to restrict reverse proxy access to trusted networks only, deploy additional authentication controls on internal endpoints independent of reverse proxy protections, and monitor for suspicious internal authentication endpoint access patterns that may indicate exploitation attempts. For containerized deployments, ensure container images are updated from official IBM repositories post-patch release and that orchestration platforms are configured to prevent rollback to vulnerable image versions.

Share

CVE-2026-1343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy