CVE-2026-4938 in Verify Identity Accessinfo

Summary

by MITRE • 07/17/2026

IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow an attacker with read-only privileges to make unauthorized modifications and deployments outside of their assigned permissions.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability represents a critical privilege escalation issue affecting multiple versions of IBM's identity and access management solutions including IBM Verify Identity Access and IBM Security Verify Access across various containerized deployments. The flaw allows authenticated users with only read-only privileges to bypass authorization controls and execute unauthorized modifications and deployments beyond their assigned permissions, fundamentally undermining the principle of least privilege that forms the cornerstone of secure access control systems.

The technical nature of this vulnerability stems from insufficient access control mechanisms within the authentication and authorization frameworks of these identity management platforms. Attackers exploiting this weakness can leverage their read-only accounts to manipulate system configurations, deploy malicious code, or modify critical infrastructure components without proper authorization. This represents a classic case of inadequate privilege validation where the system fails to properly enforce access boundaries between different user roles and permission levels.

From an operational impact perspective, this vulnerability creates significant risk for organizations relying on these platforms for identity management and access control. The ability to escalate privileges from read-only to administrative levels without detection can lead to complete system compromise, data exfiltration, and unauthorized access to sensitive corporate resources. Security teams face the challenge of identifying compromised accounts while maintaining operational continuity, as the vulnerability may remain undetected for extended periods.

The vulnerability aligns with CWE-284 (Improper Access Control) and represents a violation of fundamental security principles outlined in NIST SP 800-53 access control requirements. From an ATT&CK framework perspective, this maps to privilege escalation techniques including T1068 (Local Privilege Escalation) and T1566 (Phishing for Information), as attackers can leverage legitimate read-only accounts to gain elevated privileges. Organizations should implement immediate mitigations including enhanced monitoring of administrative activities, mandatory access control reviews, and application of available patches from IBM security advisories.

The affected systems require comprehensive security hardening measures beyond patching, including implementation of multi-factor authentication for all privileged accounts, regular security audits of access controls, and deployment of security information and event management solutions to detect anomalous privilege usage patterns. Organizations should also conduct thorough risk assessments to determine the scope of potential compromise and implement network segmentation strategies to limit lateral movement capabilities for compromised accounts.

Responsible

Ibm

Reservation

03/26/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!