Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an attacker to bypass authentication mechanisms and gain unauthorized access to the application.
AnalysisAI
Authentication bypass in IBM Verify Identity Access and IBM Security Verify Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both container and non-container deployments) allows remote attackers to gain unauthorized access under specific high-load conditions without authentication. The vulnerability carries an EPSS score indicating moderate exploitation probability, with vendor patch available but no confirmed active exploitation or public proof-of-concept at time of analysis. Attack complexity is rated high (AC:H), suggesting exploitation requires specific timing or environmental conditions related to load stress.
Technical ContextAI
This vulnerability affects IBM's identity and access management (IAM) platform across multiple product lines: IBM Verify Identity Access Container (11.0-11.0.2), IBM Security Verify Access Container (10.0-10.0.9.1), and their non-containerized counterparts. The root cause is classified as CWE-287 (Improper Authentication), indicating a fundamental flaw in how the application validates user credentials or session tokens. The condition-dependent nature ('under certain load conditions') suggests a race condition, resource exhaustion scenario, or timing-based weakness in the authentication flow that becomes exploitable when the system experiences high concurrent request volumes or resource contention. IBM Verify Access serves as an enterprise access management solution handling authentication, authorization, and SSO for critical applications, making authentication bypass particularly severe.
RemediationAI
Apply vendor-released patches immediately per IBM Security Advisory at https://www.ibm.com/support/pages/node/7268253, which provides specific remediation steps and patched versions for each affected product line. Organizations should prioritize patching systems exposed to high-load conditions or external network access. As an interim mitigation while testing patches, consider implementing rate limiting, load balancing with authentication offload to less-affected systems, or restricting network access to trusted sources. Monitor authentication logs for anomalous patterns during high-load periods, including successful authentications without corresponding credential validation events. Verify patch application through version confirmation and functional testing of authentication mechanisms under load conditions.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18066
GHSA-f52w-9gxq-49mc