Skip to main content

IBM EUVDEUVD-2026-18066

| CVE-2026-4101 HIGH
Improper Authentication (CWE-287)
2026-04-01 ibm GHSA-f52w-9gxq-49mc
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 21:00 euvd
EUVD-2026-18066
Analysis Generated
Apr 01, 2026 - 21:00 vuln.today
Patch released
Apr 01, 2026 - 21:00 nvd
Patch available
CVE Published
Apr 01, 2026 - 20:35 nvd
HIGH 8.1

DescriptionCVE.org

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an attacker to bypass authentication mechanisms and gain unauthorized access to the application.

AnalysisAI

Authentication bypass in IBM Verify Identity Access and IBM Security Verify Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both container and non-container deployments) allows remote attackers to gain unauthorized access under specific high-load conditions without authentication. The vulnerability carries an EPSS score indicating moderate exploitation probability, with vendor patch available but no confirmed active exploitation or public proof-of-concept at time of analysis. Attack complexity is rated high (AC:H), suggesting exploitation requires specific timing or environmental conditions related to load stress.

Technical ContextAI

This vulnerability affects IBM's identity and access management (IAM) platform across multiple product lines: IBM Verify Identity Access Container (11.0-11.0.2), IBM Security Verify Access Container (10.0-10.0.9.1), and their non-containerized counterparts. The root cause is classified as CWE-287 (Improper Authentication), indicating a fundamental flaw in how the application validates user credentials or session tokens. The condition-dependent nature ('under certain load conditions') suggests a race condition, resource exhaustion scenario, or timing-based weakness in the authentication flow that becomes exploitable when the system experiences high concurrent request volumes or resource contention. IBM Verify Access serves as an enterprise access management solution handling authentication, authorization, and SSO for critical applications, making authentication bypass particularly severe.

RemediationAI

Apply vendor-released patches immediately per IBM Security Advisory at https://www.ibm.com/support/pages/node/7268253, which provides specific remediation steps and patched versions for each affected product line. Organizations should prioritize patching systems exposed to high-load conditions or external network access. As an interim mitigation while testing patches, consider implementing rate limiting, load balancing with authentication offload to less-affected systems, or restricting network access to trusted sources. Monitor authentication logs for anomalous patterns during high-load periods, including successful authentications without corresponding credential validation events. Verify patch application through version confirmation and functional testing of authentication mechanisms under load conditions.

Share

EUVD-2026-18066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy