Cyber Resilience

CVE-2026-1345

High

Published: 01 April 2026

Published
01 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0006 19.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1345 is a high-severity OS Command Injection (CWE-78) vulnerability in Ibm Security Verify Access. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1345 is a command injection vulnerability (CWE-78) present in IBM Verify Identity Access Container versions 11.0 through 11.0.2, IBM Security Verify Access Container versions 10.0 through 10.0.9.1, IBM Verify Identity Access versions 11.0 through 11.0.2, and IBM Security Verify Access versions 10.0 through 10.0.9.1. The issue arises from improper validation of user-supplied input, which could enable unauthorized command execution. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-01T21:16:58.110.

An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary commands on the affected system, though these commands run with lower user privileges.

IBM has published a security advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7268253, which security practitioners should consult for patch information and mitigation guidance.

EU & UK References

Vulnerability details

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow an unauthenticated user to execute…

more

arbitrary commands as lower user privileges on the system due to improper validation of user supplied input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection (CWE-78) in a network-exposed identity access product directly enables unauthenticated remote command execution on a public-facing application (T1190) via a command interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1342Same product: Ibm Security Verify Access
CVE-2026-1343Same product: Ibm Security Verify Access
CVE-2026-4101Same product: Ibm Security Verify Access
CVE-2024-51450Same vendor: Ibm
CVE-2024-55904Same vendor: Ibm
CVE-2026-1346Same product: Ibm Security Verify Access
CVE-2025-13686Same vendor: Ibm
CVE-2026-5935Same vendor: Ibm
CVE-2025-13687Same vendor: Ibm
CVE-2025-13688Same vendor: Ibm

Affected Assets

ibm
security verify access
10.0.0.0 — 10.0.9.1
ibm
security verify access container
10.0.0.0 — 10.0.9.1
ibm
verify identity access
11.0.0.0 — 11.0.2.0
ibm
verify identity access container
11.0.0.0 — 11.0.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper validation of user-supplied input that enables arbitrary command injection in the affected IBM products.

prevent

Ensures timely patching and remediation of the specific command injection flaw identified in CVE-2026-1345.

prevent

Limits damage from exploited command injection by enforcing least privilege, aligning with the vulnerability's execution under lower user privileges.

References