Description
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
Published: 2026-06-30
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 fail to invalidate session IDs after they expire, allowing an authenticated user who has previously obtained a session to continue using that session to act as another user. The vulnerability is a classic session fixation issue that gives an adversary the ability to impersonate legitimate users, potentially accessing sensitive data or performing privileged actions on the platform.

Affected Systems

The affected systems are IBM DevOps Automation version 1.0.1 and IBM DevOps Loop version 1.0.2. No further sub‑release details are provided beyond the major/minor numbers listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.1 reflects a high‑severity misuse with potential for unauthorized access. EPSS data is not available, so the likelihood of exploitation cannot be quantified, but the absence of a KEV listing suggests no confirmed exploit in the wild as of the data set. The likely attack vector requires an attacker to possess valid credentials or an existing authenticated session; from there, the attacker can reuse the expired session to hijack another user's account.

Generated by OpenCVE AI on June 30, 2026 at 22:29 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by updating to IBM DevOps Loop 1.0.3 https://www.ibm.com/docs/en/devops-loop/1.0.3


OpenCVE Recommended Actions

  • Apply the IBM DevOps Loop 1.0.3 update immediately to enforce proper session expiration.
  • Disable or reconfigure any session‑caching or persistence mechanisms so that session IDs are no longer valid after expiry.
  • Implement multi‑factor authentication to reduce the risk of credential compromise and limit the effectiveness of session reuse.
  • After the update, perform a test that verifies expired session IDs cannot be reused, ensuring the fix functions as intended.

Generated by OpenCVE AI on June 30, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
Title IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.
First Time appeared Ibm
Ibm devops Automation
Ibm devops Loop
Weaknesses CWE-613
CPEs cpe:2.3:a:ibm:devops_automation:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:devops_loop:1.0.2:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm devops Automation
Ibm devops Loop
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Ibm Devops Automation Devops Loop
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T20:11:57.390Z

Reserved: 2025-04-15T21:16:54.210Z

Link: CVE-2025-36359

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration