Description
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Published: 2026-04-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Token Theft
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from IBM Maximo Application Suite failing to mark authentication tokens and session cookies with the secure flag, enabling them to be transmitted over non‑HTTPS connections. Attackers can trigger the cookie to be sent to an insecure http:// URL by embedding the link in a phishing page or a site the user visits. When transmitted insecurely, the cookie values can be captured by an attacker through traffic sniffing, allowing session hijacking and unauthorized access to the system.

Affected Systems

IBM Maximo Application Suite versions 9.1.x up to 9.1.8, 9.0.x up to 9.0.19, 8.11.x up to 8.11.30, and 8.10.x up to 8.10.33 are affected.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation is achievable remotely via a web link, requiring an attacker to supply an http:// URL that a user visits, making the risk dependent on user interaction with potential phishing or compromised sites.

Generated by OpenCVE AI on April 7, 2026 at 23:37 UTC.

Remediation

Vendor Solution

Remediated Product(s)Version(s)IBM Maximo Application Suite9.1.8IBM Maximo Application Suite9.0.19IBM Maximo Application Suite8.11.30IBM Maximo Application Suite8.10.33

OpenCVE Recommended Actions

  • Apply the IBM Maximo Application Suite updates to version 9.1.8, 9.0.19, 8.11.30, or 8.10.33 as provided by IBM.
  • Verify that authentication tokens and session cookies now include the secure flag and are only transmitted over HTTPS.
  • Monitor network traffic for any unsecured cookie transmission and enforce HTTPS enforcement across all Maximo Application Suite interfaces.

Generated by OpenCVE AI on April 7, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319
CPEs cpe:2.3:a:ibm:maximo_application_suite:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Title IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag
First Time appeared Ibm
Ibm maximo Application Suite
Weaknesses CWE-614
CPEs cpe:2.3:a:ibm:maximo_application_suite:8.10.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:8.11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:maximo_application_suite:9.1:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm maximo Application Suite
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Ibm Maximo Application Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T15:51:44.073Z

Reserved: 2026-03-25T13:48:17.676Z

Link: CVE-2026-4820

cve-icon Vulnrichment

Updated: 2026-04-02T15:51:31.995Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:02.827

Modified: 2026-04-07T16:28:01.440

Link: CVE-2026-4820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:50Z

Weaknesses