Cyber Resilience

CVE-2026-4101

High

Published: 01 April 2026

Published
01 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4101 is a high-severity Improper Authentication (CWE-287) vulnerability in Ibm Security Verify Access. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-4101 is an authentication bypass vulnerability affecting IBM Verify Identity Access Container versions 11.0 through 11.0.2, IBM Security Verify Access Container versions 10.0 through 10.0.9.1, IBM Verify Identity Access versions 11.0 through 11.0.2, and IBM Security Verify Access versions 10.0 through 10.0.9.1. Under certain load conditions, an attacker can bypass authentication mechanisms to gain unauthorized access to the application. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).

A remote attacker requires no privileges or user interaction to exploit this issue over the network, though it demands high attack complexity and specific load conditions on the affected system. Successful exploitation allows the attacker to bypass authentication entirely, achieving unauthorized access to the application with high impacts on confidentiality, integrity, and availability.

IBM has issued a security advisory with details on the vulnerability and mitigation steps, available at https://www.ibm.com/support/pages/node/7268253.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an…

more

attacker to bypass authentication mechanisms and gain unauthorized access to the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote attackers to bypass authentication in public-facing IBM Security Verify Access applications under specific conditions, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1343Same product: Ibm Security Verify Access
CVE-2026-1345Same product: Ibm Security Verify Access
CVE-2026-7876Same vendor: Ibm
CVE-2026-1342Same product: Ibm Security Verify Access
CVE-2026-1346Same product: Ibm Security Verify Access
CVE-2024-22347Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2026-9170Same vendor: Ibm
CVE-2026-8644Same vendor: Ibm
CVE-2025-36365Same vendor: Ibm

Affected Assets

ibm
security verify access
10.0.0.0 — 10.0.9.1
ibm
security verify access container
10.0.0.0 — 10.0.9.1
ibm
verify identity access
11.0.0.0 — 11.0.2.0
ibm
verify identity access container
11.0.0.0 — 11.0.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the authentication bypass flaw in IBM Verify products by identifying, reporting, and applying vendor patches as specified in the IBM advisory.

prevent

Requires unique identification and authentication of users, directly countering the improper authentication (CWE-287) that enables bypass under load conditions.

prevent

Enforces approved access authorizations to block unauthorized application access even if authentication mechanisms fail under high load.

References