CVE-2026-2475
Received Received - Intake
Open Redirect Vulnerability in IBM Verify and Security Access

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: IBM Corporation

Description
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2475
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
ibm verify_identity_access From 11.0.0.0 (inc) to 11.0.2.0 (inc)
ibm security_verify_access From 10.0.0.0 (inc) to 10.0.9.1 (inc)
ibm security_verify_access_container From 10.0.0.0 (inc) to 10.0.9.1 (inc)
ibm verify_identity_access_container From 11.0.0.0 (inc) to 11.0.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an open redirect issue found in IBM Verify Identity Access Container and IBM Security Verify Access products. It allows a remote attacker to craft a special request that causes the application to redirect a user to an arbitrary website chosen by the attacker.

Essentially, the attacker can trick users into clicking a link that appears to be legitimate but actually sends them to a malicious site, enabling phishing attacks.

Impact Analysis

The vulnerability can be exploited to conduct phishing attacks by redirecting users to malicious websites without their knowledge.

This can lead to users being deceived into providing sensitive information, such as login credentials or personal data, to attackers.

The CVSS score of 3.1 indicates a low severity, but the impact on user trust and potential data compromise can still be significant.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart