CVE-2026-4101
Published: 01 April 2026
Summary
CVE-2026-4101 is a high-severity Improper Authentication (CWE-287) vulnerability in Ibm Security Verify Access. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the authentication bypass flaw in IBM Verify products by identifying, reporting, and applying vendor patches as specified in the IBM advisory.
Requires unique identification and authentication of users, directly countering the improper authentication (CWE-287) that enables bypass under load conditions.
Enforces approved access authorizations to block unauthorized application access even if authentication mechanisms fail under high load.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote attackers to bypass authentication in public-facing IBM Security Verify Access applications under specific conditions, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an…
more
attacker to bypass authentication mechanisms and gain unauthorized access to the application.
Deeper analysisAI
CVE-2026-4101 is an authentication bypass vulnerability affecting IBM Verify Identity Access Container versions 11.0 through 11.0.2, IBM Security Verify Access Container versions 10.0 through 10.0.9.1, IBM Verify Identity Access versions 11.0 through 11.0.2, and IBM Security Verify Access versions 10.0 through 10.0.9.1. Under certain load conditions, an attacker can bypass authentication mechanisms to gain unauthorized access to the application. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).
A remote attacker requires no privileges or user interaction to exploit this issue over the network, though it demands high attack complexity and specific load conditions on the affected system. Successful exploitation allows the attacker to bypass authentication entirely, achieving unauthorized access to the application with high impacts on confidentiality, integrity, and availability.
IBM has issued a security advisory with details on the vulnerability and mitigation steps, available at https://www.ibm.com/support/pages/node/7268253.
Details
- CWE(s)