Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites.
AnalysisAI
Open redirect vulnerability in IBM Verify Identity Access Container versions 11.0-11.0.2 and 10.0-10.0.9.1, and IBM Security Verify Access Container and non-container variants across the same version ranges, enables remote phishing attacks via specially crafted requests that redirect users to arbitrary websites. The attack requires user interaction (UI:R) and unusual network or exploitation circumstances (AC:H), limiting real-world impact; no public exploit code or confirmed active exploitation has been identified.
Technical ContextAI
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site or 'Open Redirect'). The issue resides in IBM's identity and access management platform, which handles authentication and authorization flows. Open redirects occur when an application accepts user-supplied input to determine redirect destinations without proper validation, allowing attackers to craft URLs that legitimately redirect users through the trusted IBM domain before forwarding them to attacker-controlled sites. In the context of identity and access management, this is particularly dangerous because users trust IBM authentication flows and may not notice the subsequent redirect, making phishing campaigns more credible. The vulnerability affects both containerized deployments (Verify Identity Access Container, Security Verify Access Container) and non-containerized installations, indicating the flaw is in the core authentication logic rather than deployment-specific code.
RemediationAI
Vendor-released patch is available per IBM security advisory at https://www.ibm.com/support/pages/node/7268253; upgrade IBM Verify Identity Access Container, Security Verify Access Container, and their non-containerized equivalents to the patched versions specified in the advisory. Until patching is feasible, implement input validation and URL allowlisting in application configuration to restrict redirect destinations to known-safe domains, and educate users to scrutinize redirect URLs in authentication flows-particularly any that leave the expected IBM domain. Web application firewalls (WAF) can block redirect parameters pointing to non-whitelisted domains.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18032
GHSA-h7q9-rm7f-jp23