CVE-2026-1345
Published: 01 April 2026
Summary
CVE-2026-1345 is a high-severity OS Command Injection (CWE-78) vulnerability in Ibm Security Verify Access. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper validation of user-supplied input that enables arbitrary command injection in the affected IBM products.
Ensures timely patching and remediation of the specific command injection flaw identified in CVE-2026-1345.
Limits damage from exploited command injection by enforcing least privilege, aligning with the vulnerability's execution under lower user privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-78) in a network-exposed identity access product directly enables unauthenticated remote command execution on a public-facing application (T1190) via a command interpreter (T1059).
NVD Description
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow an unauthenticated user to execute…
more
arbitrary commands as lower user privileges on the system due to improper validation of user supplied input.
Deeper analysisAI
CVE-2026-1345 is a command injection vulnerability (CWE-78) present in IBM Verify Identity Access Container versions 11.0 through 11.0.2, IBM Security Verify Access Container versions 10.0 through 10.0.9.1, IBM Verify Identity Access versions 11.0 through 11.0.2, and IBM Security Verify Access versions 10.0 through 10.0.9.1. The issue arises from improper validation of user-supplied input, which could enable unauthorized command execution. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-01T21:16:58.110.
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary commands on the affected system, though these commands run with lower user privileges.
IBM has published a security advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7268253, which security practitioners should consult for patch information and mitigation guidance.
Details
- CWE(s)