CVE-2026-4913
Improper Access Control in Ivanti N-ITSM Allows Persistent Access
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: ivanti
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ivanti | n-itsm | to 2025.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-424 | The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Ivanti N-ITSM versions before 2025.4. It involves improper protection of an alternate access path, which allows a remote authenticated attacker to maintain access to the system even after their user account has been disabled.
How can this vulnerability impact me? :
The vulnerability can allow an attacker who has already authenticated to continue accessing the system despite their account being disabled. This means that disabling a compromised account may not be sufficient to prevent unauthorized access, potentially leading to unauthorized data exposure or misuse.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote authenticated attacker to retain access even after their account has been disabled, which could lead to unauthorized access to sensitive data.
Such unauthorized access may violate compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and timely revocation of access rights to protect personal and health information.