CVE-2026-4364 is a cross-site scripting vulnerability classified under CWE-79 that impacts IBM Verify Identity Access Container versions 11.0 through 11.0.2 and IBM Security Verify Access Container versions 10.0 through 10.0.9.1. The root cause is the improper specification of the HTTP response Content-Type header when serving certificate listings via browser sessions. Instead of correctly labeling the response as application/json, the server responds with text/html. This misconfiguration causes browsers to parse the JSON payload as HTML and potentially execute embedded JavaScript code. An attacker able to influence or intercept the JSON response could inject malicious scripts that execute in the context of the victim’s browser session, leading to cross-site scripting attacks. The vulnerability requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R), but the attack complexity is low (AC:L), and the scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The CVSS v3.1 base score is 5.4, reflecting medium severity with partial impact on confidentiality and integrity but no impact on availability. No patches or exploits are currently documented, but the vulnerability poses a risk to environments where IBM Verify Identity Access Container is used for identity and access management, especially in enterprise and government sectors.

The vulnerability could allow attackers to execute arbitrary JavaScript in the context of authenticated users’ browser sessions, potentially leading to theft of session tokens, user credentials, or other sensitive information. This can compromise the confidentiality and integrity of user data and identity management processes. While availability is not impacted, the breach of trust and session hijacking risks can lead to unauthorized access to protected resources. Organizations relying on IBM Verify Identity Access Container for identity verification and access control may face increased risk of targeted attacks, especially in environments with high-value assets or sensitive data. The medium severity score reflects that exploitation requires some privileges and user interaction, limiting the ease of attack but not eliminating the threat. If exploited in critical infrastructure or government systems, the impact could be significant due to the sensitive nature of identity management.

Organizations should monitor IBM’s official channels for patches addressing this vulnerability and apply them promptly once available. In the interim, administrators can implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Additionally, reviewing and hardening HTTP response headers, such as setting X-Content-Type-Options to 'nosniff', can help prevent browsers from misinterpreting content types. Limiting user privileges and enforcing multi-factor authentication can reduce the risk of exploitation. Regular security audits and penetration testing focused on web application security for identity access components are recommended. Network segmentation and monitoring for anomalous activities related to identity access services can also help detect and mitigate potential exploitation attempts.