CVE-2026-4820
Insecure Cookie Attribute in IBM Maximo Allows Session Hijacking
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | maximo_application_suite | From 8.10 (inc) to 8.10.33 (exc) |
| ibm | maximo_application_suite | From 8.11 (inc) to 8.11.30 (exc) |
| ibm | maximo_application_suite | From 9.0 (inc) to 9.0.19 (exc) |
| ibm | maximo_application_suite | From 9.1 (inc) to 9.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves IBM Maximo Application Suite not setting the secure attribute on authorization tokens or session cookies, which can lead to cookie values being exposed over insecure HTTP connections.
Exposure of authorization tokens or session cookies can increase the risk of unauthorized access to user sessions, potentially leading to data breaches.
Such data breaches or unauthorized access incidents may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.
However, the provided information does not explicitly describe the direct impact on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability exists in IBM Maximo Application Suite versions 9.1, 9.0, 8.11, and 8.10 where the secure attribute is not set on authorization tokens or session cookies.
Because the secure attribute is missing, attackers can trick users into sending their cookies over an insecure HTTP connection by sending a link starting with http:// or by placing such a link on a website the user visits.
When the cookie is sent over an insecure connection, an attacker can intercept and obtain the cookie value by snooping on the network traffic.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access because attackers can steal session cookies or authorization tokens.
With these stolen cookies, attackers may impersonate legitimate users, potentially gaining access to sensitive information or performing actions on behalf of the user.
This can compromise the confidentiality of user sessions and data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the secure attribute is set on authorization tokens or session cookies in IBM Maximo Application Suite versions 9.1, 9.0, 8.11, and 8.10. This prevents cookies from being sent over insecure HTTP connections, reducing the risk of attackers obtaining cookie values by snooping traffic.