Skip to main content

IBM CVE-2026-1346

| EUVDEUVD-2026-20001 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
2026-04-08 ibm
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 01:00 euvd
EUVD-2026-20001
Analysis Generated
Apr 08, 2026 - 01:00 vuln.today
Patch released
Apr 08, 2026 - 01:00 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:15 nvd
CRITICAL 9.3

DescriptionCVE.org

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required.

AnalysisAI

Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.

Technical ContextAI

This vulnerability stems from CWE-250 (Execution with Unnecessary Privileges), where IBM Verify/Security Verify Access components run processes with elevated privileges beyond operational requirements. The affected products span both containerized (Verify Identity Access Container, Security Verify Access Container) and traditional deployment models (Verify Identity Access, Security Verify Access) across versions 10.0 through 11.0.2. The CVSS vector indicates local attack surface (AV:L), meaning exploitation requires existing local system access, but critically shows PR:N (no privileges required) - the attacker needs no authentication beyond basic local user access. The scope change (S:C) indicates the vulnerability allows escaping the security context of the vulnerable component to impact the broader system, consistent with local-to-root escalation scenarios common in enterprise identity and access management platforms where service accounts or executables run with SUID/sudo privileges unnecessarily.

RemediationAI

Patch available per vendor advisory at https://www.ibm.com/support/pages/node/7268253. Organizations should immediately consult this IBM support page for specific patched versions and upgrade paths for their deployment model (containerized vs traditional). IBM typically provides interim workarounds or hardening guidance in their advisories for customers unable to patch immediately. Until patching is complete, implement compensating controls: restrict local system access to IBM Verify infrastructure through network segmentation and jump host architectures, enforce multi-factor authentication for all administrative access, enable comprehensive process execution monitoring to detect unexpected privilege escalation attempts, and review system logs for unauthorized root-level activities. Given the local attack vector, prioritize removing unnecessary local user accounts and disabling unused services that could provide initial foothold access.

Share

CVE-2026-1346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy