CVE-2026-4820
Received Received - Intake
Insecure Cookie Attribute in IBM Maximo Allows Session Hijacking

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: IBM Corporation

Description
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4820
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
ibm maximo_application_suite From 8.10 (inc) to 8.10.33 (exc)
ibm maximo_application_suite From 8.11 (inc) to 8.11.30 (exc)
ibm maximo_application_suite From 9.0 (inc) to 9.0.19 (exc)
ibm maximo_application_suite From 9.1 (inc) to 9.1.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability involves IBM Maximo Application Suite not setting the secure attribute on authorization tokens or session cookies, which can lead to cookie values being exposed over insecure HTTP connections.

Exposure of authorization tokens or session cookies can increase the risk of unauthorized access to user sessions, potentially leading to data breaches.

Such data breaches or unauthorized access incidents may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

However, the provided information does not explicitly describe the direct impact on compliance with these standards.

Executive Summary

This vulnerability exists in IBM Maximo Application Suite versions 9.1, 9.0, 8.11, and 8.10 where the secure attribute is not set on authorization tokens or session cookies.

Because the secure attribute is missing, attackers can trick users into sending their cookies over an insecure HTTP connection by sending a link starting with http:// or by placing such a link on a website the user visits.

When the cookie is sent over an insecure connection, an attacker can intercept and obtain the cookie value by snooping on the network traffic.

Impact Analysis

The vulnerability can lead to unauthorized access because attackers can steal session cookies or authorization tokens.

With these stolen cookies, attackers may impersonate legitimate users, potentially gaining access to sensitive information or performing actions on behalf of the user.

This can compromise the confidentiality of user sessions and data.

Mitigation Strategies

To mitigate this vulnerability, ensure that the secure attribute is set on authorization tokens or session cookies in IBM Maximo Application Suite versions 9.1, 9.0, 8.11, and 8.10. This prevents cookies from being sent over insecure HTTP connections, reducing the risk of attackers obtaining cookie values by snooping traffic.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart