Cyber Resilience

CVE-2026-1346

CriticalLPE

Published: 08 April 2026

Published
08 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0023 13.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1346 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Ibm Security Verify Access. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1346 is a privilege escalation vulnerability affecting multiple IBM security products, stemming from execution with unnecessary privileges (CWE-250). It impacts IBM Verify Identity Access Container versions 11.0 through 11.0.2, IBM Security Verify Access Container versions 10.0 through 10.0.9.1, IBM Verify Identity Access versions 11.0 through 11.0.2, and IBM Security Verify Access versions 10.0 through 10.0.9.1. The issue allows a locally authenticated user to elevate privileges to root level. Published on 2026-04-08, it carries a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with high impacts across confidentiality, integrity, and availability in a changed scope.

A local attacker with authenticated access to the system can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants root privileges, enabling full control over the affected container or host, including potential data exfiltration, modification of critical files, or disruption of services.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7268253 providing details on the vulnerability and recommended mitigations or patches.

EU & UK References

Vulnerability details

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to…

more

escalate their privileges to root due to execution with unnecessary privileges than required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

CVE enables local root privilege escalation via unnecessary privileges (directly T1068); container scope change and host control also map to container escape (T1611).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4101Same product: Ibm Security Verify Access
CVE-2026-1345Same product: Ibm Security Verify Access
CVE-2024-49814Same product: Ibm Security Verify Access
CVE-2026-1343Same product: Ibm Security Verify Access
CVE-2026-1342Same product: Ibm Security Verify Access
CVE-2025-36184Same vendor: Ibm
CVE-2026-3623Same vendor: Ibm
CVE-2025-0161Same product: Ibm Security Verify Access
CVE-2025-14604Same vendor: Ibm
CVE-2026-8179Same vendor: Ibm

Affected Assets

ibm
security verify access
10.0.0 — 10.0.9.1
ibm
security verify access container
10.0.0.0 — 10.0.9.1
ibm
verify identity access
11.0.0.0 — 11.0.2.0
ibm
verify identity access container
11.0.0.0 — 11.0.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 enforces the principle of least privilege, directly preventing processes from executing with unnecessary root privileges that enable local authenticated users to escalate to root.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like this privilege escalation vulnerability through application of IBM-provided patches.

prevent

AC-3 enforces approved access control policies and mechanisms to restrict unauthorized privilege escalations by locally authenticated users.

References