Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy.
AnalysisAI
Server-Side Request Forgery (SSRF) in IBM Verify Identity Access and Security Verify Access products (versions 10.0-11.0.2) allows unauthenticated remote attackers to contact internal authentication endpoints that should be protected by the Reverse Proxy component. This bypass enables attackers to interact with restricted internal services, potentially leading to unauthorized information disclosure and limited integrity impact. EPSS data not provided, but CVSS 7.2 (High) with network-accessible, low-complexity attack vector indicates moderate real-world risk. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Technical ContextAI
This vulnerability represents a Server-Side Request Forgery (CWE-918) flaw in IBM's identity and access management product suite. The affected products - IBM Verify Identity Access Container, IBM Security Verify Access Container, IBM Verify Identity Access, and IBM Security Verify Access - implement a Reverse Proxy architecture designed to protect internal authentication endpoints from external access. The SSRF weakness allows attackers to craft requests that bypass these reverse proxy protections, forcing the server to make unintended requests to internal authentication services. The CVSS vector (S:C - Scope Changed) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, suggesting attackers can pivot from the reverse proxy layer to reach backend authentication infrastructure. This architectural bypass undermines the security boundary separation that the reverse proxy is meant to enforce, creating a trust boundary violation between external-facing and internal authentication systems.
RemediationAI
Organizations should apply vendor-released patches immediately according to IBM Security Bulletin 7268253 available at https://www.ibm.com/support/pages/node/7268253. The advisory confirms patch availability from IBM for all affected product versions, though exact fixed version numbers are not specified in the provided intelligence data. Administrators should review the official bulletin for precise upgrade paths and patched release versions for their specific deployment (containerized versus traditional installations, version 10.x versus 11.x branches). As a defense-in-depth measure while patching is in progress, organizations should implement network segmentation to restrict reverse proxy access to trusted networks only, deploy additional authentication controls on internal endpoints independent of reverse proxy protections, and monitor for suspicious internal authentication endpoint access patterns that may indicate exploitation attempts. For containerized deployments, ensure container images are updated from official IBM repositories post-patch release and that orchestration platforms are configured to prevent rollback to vulnerable image versions.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19998
GHSA-249q-vrhp-j59w