Skip to main content

IBM Security Verify Access CVE-2026-5926

| EUVDEUVD-2026-25135 MEDIUM
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-04-23 psirt@us.ibm.com GHSA-5rff-j8g7-m3r3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 00:22 euvd
EUVD-2026-25135
Analysis Generated
Apr 23, 2026 - 00:22 vuln.today
CVE Published
Apr 23, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

AnalysisAI

IBM Security Verify Access and Verify Identity Access products versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 use cryptographic algorithms weaker than expected, allowing authenticated network attackers to decrypt highly sensitive information. The vulnerability affects both containerized and non-containerized deployments across multiple major versions. CVSS 6.5 reflects high confidentiality impact with low attack complexity, though authenticated access is required.

Technical ContextAI

IBM Security Verify Access is an identity and access management platform providing authentication, authorization, and single sign-on capabilities. The vulnerability resides in the cryptographic implementation used to protect sensitive data in transit or at rest within the platform. Rather than a specific protocol flaw, this represents a deliberate choice of weaker cryptographic algorithms-likely AES with insufficient key strength, outdated symmetric algorithms, or weak key derivation functions-that fall short of current industry standards for protecting highly sensitive identity and access control data. CWE classification was not provided by IBM, but this pattern aligns with CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-326 (Inadequate Encryption Strength).

RemediationAI

Upgrade IBM Security Verify Access to a version newer than 10.0.9.1 or 11.0.2 once available from IBM. Contact IBM support via https://www.ibm.com/support/pages/node/7269372 for confirmed fixed versions and upgrade timelines, as the advisory does not specify exact patch release versions at this time. Until patching is feasible, implement compensating controls: restrict network access to Verify Access management interfaces and APIs to trusted networks using firewall rules or network segmentation, enforce mutual TLS with strong cipher suites for all connections to the platform, rotate and audit service account credentials that may have accessed encrypted data under the weaker algorithm, and consider disabling features or integrations that rely on the vulnerable cryptographic implementation if operationally feasible. The trade-off of network restriction is reduced accessibility for remote administrators; the trade-off of cipher-suite enforcement is potential compatibility issues with legacy clients.

Share

CVE-2026-5926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy