{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1491", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-01-27T14:29:01.426Z", "datePublished": "2026-04-01T20:44:24.310Z", "dateUpdated": "2026-04-03T13:56:05.184Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-01T20:44:24.310Z"}, "title": "Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Verify Identity Access Container", "versions": [{"status": "affected", "version": "11.0", "lessThanOrEqual": "11.0.2", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:verify_identity_access_container:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access_container:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access_container:11.0.2:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Security Verify Access Container", "versions": [{"status": "affected", "version": "10.0", "lessThanOrEqual": "10.0.9.1", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:security_verify_access_container:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access_container:10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access_container:10.0.9.1:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Verify Identity Access", "versions": [{"status": "affected", "version": "11.0", "lessThanOrEqual": "11.0.2", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:verify_identity_access:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access:11.0.2:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Security Verify Access", "versions": [{"status": "affected", "version": "10.0", "lessThanOrEqual": "10.0.9.1", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:security_verify_access:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access:10.0.9.1:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268253", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "IBM encourages customers to update their systems promptly.\n\n\u00a0\n\nAppliance:\u00a0\n\nAffected Products and Versions\n\nFix availability\n\nIBM Verify Identity Access 11.0 - 11.0.2\n\n Download IBM Verify Identity Access v11.0.2 IF1 https://www.ibm.com/support/fixcentral/quickorder \n\nIBM Security Verify Access 10.0 - 10.0.9.1\n\n Download IBM Security Verify Access v10.0.9.1 IF1 https://www.ibm.com/support/fixcentral/quickorder", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><strong>IBM encourages customers to update their systems promptly.</strong></p><p>&nbsp;</p><p><strong>Appliance:&nbsp;</strong></p><div><table><thead><tr><td><p><strong>Affected Products and Versions</strong></p></td><td><p><strong>Fix availability</strong></p></td></tr><tr><td><p>IBM Verify Identity Access 11.0 - 11.0.2</p></td><td><p><a href=\"https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Verify+Identity+Access&amp;fixids=11.0.2.0-ISS-IVIA-IF0001&amp;source=SAR\" rel=\"nofollow\">Download IBM Verify Identity Access v11.0.2 IF1</a></p></td></tr><tr><td><p>IBM Security Verify Access 10.0 - 10.0.9.1</p></td><td><p><a href=\"https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Security+Verify+Access&amp;fixids=10.0.9.1-ISS-ISVA-IF0001&amp;source=SAR\" rel=\"nofollow\">Download IBM Security Verify Access v10.0.9.1 IF1</a></p></td></tr></thead></table></div>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1491", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:45:26.430568Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:56:05.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1491", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:45:26.430568Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:49:45.147Z"}}], "cna": {"title": "Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:verify_identity_access_container:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access_container:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access_container:11.0.2:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Verify Identity Access Container", "versions": [{"status": "affected", "version": "11.0", "versionType": "semver", "lessThanOrEqual": "11.0.2"}]}, {"cpes": ["cpe:2.3:a:ibm:security_verify_access_container:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access_container:10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access_container:10.0.9.1:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Security Verify Access Container", "versions": [{"status": "affected", "version": "10.0", "versionType": "semver", "lessThanOrEqual": "10.0.9.1"}]}, {"cpes": ["cpe:2.3:a:ibm:verify_identity_access:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:verify_identity_access:11.0.2:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Verify Identity Access", "versions": [{"status": "affected", "version": "11.0", "versionType": "semver", "lessThanOrEqual": "11.0.2"}]}, {"cpes": ["cpe:2.3:a:ibm:security_verify_access:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:security_verify_access:10.0.9.1:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Security Verify Access", "versions": [{"status": "affected", "version": "10.0", "versionType": "semver", "lessThanOrEqual": "10.0.9.1"}]}], "solutions": [{"lang": "en", "value": "IBM encourages customers to update their systems promptly.\n\n\u00a0\n\nAppliance:\u00a0\n\nAffected Products and Versions\n\nFix availability\n\nIBM Verify Identity Access 11.0 - 11.0.2\n\n Download IBM Verify Identity Access v11.0.2 IF1 https://www.ibm.com/support/fixcentral/quickorder \n\nIBM Security Verify Access 10.0 - 10.0.9.1\n\n Download IBM Security Verify Access v10.0.9.1 IF1 https://www.ibm.com/support/fixcentral/quickorder", "supportingMedia": [{"type": "text/html", "value": "<p><strong>IBM encourages customers to update their systems promptly.</strong></p><p>&nbsp;</p><p><strong>Appliance:&nbsp;</strong></p><div><table><thead><tr><td><p><strong>Affected Products and Versions</strong></p></td><td><p><strong>Fix availability</strong></p></td></tr><tr><td><p>IBM Verify Identity Access 11.0 - 11.0.2</p></td><td><p><a href=\"https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Verify+Identity+Access&amp;fixids=11.0.2.0-ISS-IVIA-IF0001&amp;source=SAR\" rel=\"nofollow\">Download IBM Verify Identity Access v11.0.2 IF1</a></p></td></tr><tr><td><p>IBM Security Verify Access 10.0 - 10.0.9.1</p></td><td><p><a href=\"https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Security+Verify+Access&amp;fixids=10.0.9.1-ISS-ISVA-IF0001&amp;source=SAR\" rel=\"nofollow\">Download IBM Security Verify Access v10.0.9.1 IF1</a></p></td></tr></thead></table></div>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7268253", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "ibm-cvegen"}, "descriptions": [{"lang": "en", "value": "IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.", "supportingMedia": [{"type": "text/html", "value": "<p>IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-01T20:44:24.310Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1491", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:56:05.184Z", "dateReserved": "2026-01-27T14:29:01.426Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2026-04-01T20:44:24.310Z", "assignerShortName": "ibm"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy."}], "id": "CVE-2026-1491", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-04-01T21:16:58.317", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7268253"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.9.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Security Verify Access", "source": "cna", "vendor": "IBM"}, "product": "security_verify_access", "vendor": "ibm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.9.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Security Verify Access Container", "source": "cna", "vendor": "IBM"}, "product": "security_verify_access_container", "vendor": "ibm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[11.0,11.0.2]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Verify Identity Access", "source": "cna", "vendor": "IBM"}, "product": "verify_identity_access", "vendor": "ibm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[11.0,11.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Verify Identity Access Container", "source": "cna", "vendor": "IBM"}, "product": "verify_identity_access_container", "vendor": "ibm"}], "analysis": {"en": {"generated_at": "2026-04-02T02:40:20.384003+00:00", "value": {"mitigation_remediation": ["Apply IBM Verify Identity Access v11.0.2 (IF1) to all affected containers and hosts.", "Apply IBM Security Verify Access v10.0.9.1 (IF1) to all affected containers and hosts.", "Ensure reverse proxies are correctly configured or replace them with versions known to handle HTTP requests securely when patches are delayed."], "summary": {"action": "Patch", "impact": "Remote Information Disclosure"}, "threat_synthesis": {"affected_systems": "IBM Verify Identity Access versions 11.0 through 11.0.2 and IBM Security Verify Access versions 10.0 through 10.0.9.1, including their containerized forms, are affected. Users deploying these products on any platform are at risk.", "description_and_impact": "A flaw in IBM Verify Identity Access and IBM Security Verify Access allows a remote attacker to obtain sensitive information by exploiting an inconsistent interpretation of an HTTP request processed by a reverse proxy. The vulnerability is classified as CWE-444, meaning that the application treats arbitrary data as valid input, which can lead to unintended information disclosure. The impact is the leakage of confidential data, potentially compromising system integrity without requiring any additional privileges.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the lack of an EPSS score and absence from CISA\u2019s KEV list suggest that widespread exploitation has not yet been documented. The likely attack vector is remote exploitation over HTTP, where a malicious request is processed by a reverse proxy and routed to the vulnerable application. An attacker could craft specially formatted requests to trigger the information disclosure."}}}}, "created": "2026-04-02T07:47:32.171906+00:00", "updated": "2026-04-02T20:16:28.821632+00:00", "vendors": ["ibm", "ibm$PRODUCT$security_verify_access", "ibm$PRODUCT$security_verify_access_container", "ibm$PRODUCT$verify_identity_access", "ibm$PRODUCT$verify_identity_access_container"]}