Skip to main content

IBM CVE-2026-4820

| EUVDEUVD-2026-18068 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-04-01 ibm GHSA-7cvp-jxjh-qvvf
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 21:15 euvd
EUVD-2026-18068
Analysis Generated
Apr 01, 2026 - 21:15 vuln.today
Patch released
Apr 01, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 01, 2026 - 20:54 nvd
MEDIUM 4.3

DescriptionCVE.org

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

AnalysisAI

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.

Technical ContextAI

The vulnerability stems from CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), a common web application flaw where authentication cookies lack the Secure flag that restricts transmission to HTTPS-only connections. When the Secure attribute is omitted, browsers will transmit the cookie over any HTTP request, including insecure connections. IBM Maximo Application Suite is an enterprise asset management and business applications platform built on web technologies. The affected versions (8.10, 8.11, 9.0, and 9.1) all share this cookie configuration weakness. An attacker exploiting this does not require prior authentication to execute the attack; the vulnerability is triggered by social engineering a legitimate user into clicking a malicious or compromised HTTP link.

RemediationAI

Apply the vendor-released patch available from IBM support. Organizations should update IBM Maximo Application Suite to a patched version for 9.1, 9.0, 8.11, and 8.10 as specified in the IBM security advisory at https://www.ibm.com/support/pages/node/7268028. The patch configures the Secure attribute on all authorization tokens and session cookies, restricting transmission to HTTPS-only connections. In the interim, organizations should enforce HTTPS-only communication policies, disable HTTP access to Maximo Application Suite endpoints, and implement network controls to prevent unencrypted access. Additionally, user education emphasizing the dangers of clicking HTTP links (especially for authentication or sensitive operations) and the use of HSTS headers can reduce attack surface.

Share

CVE-2026-4820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy