Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.
AnalysisAI
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Technical ContextAI
This vulnerability exploits CWE-444 (Inconsistent Interpretation of HTTP Requests, also known as HTTP Request Smuggling), which arises when a reverse proxy and backend server interpret HTTP request boundaries differently. Attackers can craft malformed HTTP requests that are processed as one request by the proxy but split into multiple requests by the backend server, allowing access bypass and information disclosure. The affected products are IBM's identity and access management solutions, including both containerized (Verify Identity Access Container, Security Verify Access Container) and traditional deployment variants (Verify Identity Access, Security Verify Access). The inconsistency in HTTP parsing, combined with the reverse proxy intermediary, creates a pathway for attackers to smuggle requests and access protected resources.
RemediationAI
Vendor-released patch is available per IBM security advisory at https://www.ibm.com/support/pages/node/7268253. Organizations running IBM Verify Identity Access or Security Verify Access should immediately upgrade to patched versions: upgrade 11.x deployments to version 11.0.3 or later, and upgrade 10.x deployments to version 10.0.10 or later. The patch addresses the HTTP request smuggling vulnerability by enforcing consistent interpretation of HTTP request boundaries between the reverse proxy and backend server. Apply patches to all affected containers and non-container deployments in your environment. Consult the IBM advisory for detailed upgrade procedures specific to your deployment topology.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18027
GHSA-m56v-pqjg-v632