Description
Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1).
Published: 2026-03-27
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-User Session Data Exposure
Action: Immediate Patch
AI Analysis

Impact

A misconfigured cache in OpenText Identity Manager allows a remote authenticated user to read any other user's session data stored in the application cache. The vulnerability is a result of insecure handling of cache files, giving attackers access to confidential session information. The impact is a breach of confidentiality and potential escalation of privileges by a compromised user.

Affected Systems

The flaw exists in OpenText Identity Manager 25.2 (v4.10.1) running on Windows or Linux platforms. This version can be obtained from Micro Focus’s product release channels. Only the mentioned version is confirmed affected; earlier releases are not listed as vulnerable.

Risk and Exploitability

The CVSS Base Score of 8.4 classifies this flaw as High severity, and although its EPSS score is not available, the attack only requires the attacker to be an authenticated user of the application. The vulnerability is not currently listed in CISA’s KEV catalog, but because it allows cross-user data leakage, it represents a significant risk for organizations that rely on isolated user sessions. Exploitation requires no special network access beyond normal authentication and can be performed by any legitimate user who logs into the affected system. Review of the publicly available references indicates that Micro Focus has released a patch to address the issue, making patching an effective mitigation.

Generated by OpenCVE AI on March 27, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch or upgrade OpenText Identity Manager to version 25.2 v4.10.1 or later as detailed in Micro Focus documentation.
  • Verify that the application cache directory has appropriate file permissions so that only the owning process can read the files.
  • After patching and reconfiguration, test that session data is no longer accessible to other users.

Generated by OpenCVE AI on March 27, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1).
Title Cache Misconfiguration Leading to Cross-User Data Exposure
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OpenText

Published:

Updated: 2026-03-27T13:53:41.403Z

Reserved: 2025-11-20T13:59:14.354Z

Link: CVE-2025-13478

cve-icon Vulnrichment

Updated: 2026-03-27T13:53:36.303Z

cve-icon NVD

Status : Received

Published: 2026-03-27T14:16:07.450

Modified: 2026-03-27T14:16:07.450

Link: CVE-2025-13478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:52Z

Weaknesses