CVE-2026-1491

April 1, 2026, 9:16 p.m.

5.3
Medium

Description

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive information due to an inconsistent interpretation of an HTTP request by a reverse proxy.

Product(s) Impacted

Vendor Product Versions
Ibm
  • Verify Identity Access Container
  • Security Verify Access Container
  • Verify Identity Access
  • Security Verify Access
  • 11.0-11.0.2
  • 10.0-10.0.9.1
  • 11.0-11.0.2
  • 10.0-10.0.9.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a ibm verify_identity_access_container 11.0-11.0.2 / / / / / / /
a ibm security_verify_access_container 10.0-10.0.9.1 / / / / / / /
a ibm verify_identity_access 11.0-11.0.2 / / / / / / /
a ibm security_verify_access 10.0-10.0.9.1 / / / / / / /

References

https://www.ibm.com/support/pages/node/7268253

Tags

[email protected]
CWE-444
2026-04-01
CVE-2026-1491

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: April 1, 2026, 9:16 p.m.
Last Modified: April 1, 2026, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.