Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
AnalysisAI
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.
Technical ContextAI
The vulnerability stems from CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), a common web application flaw where authentication cookies lack the Secure flag that restricts transmission to HTTPS-only connections. When the Secure attribute is omitted, browsers will transmit the cookie over any HTTP request, including insecure connections. IBM Maximo Application Suite is an enterprise asset management and business applications platform built on web technologies. The affected versions (8.10, 8.11, 9.0, and 9.1) all share this cookie configuration weakness. An attacker exploiting this does not require prior authentication to execute the attack; the vulnerability is triggered by social engineering a legitimate user into clicking a malicious or compromised HTTP link.
RemediationAI
Apply the vendor-released patch available from IBM support. Organizations should update IBM Maximo Application Suite to a patched version for 9.1, 9.0, 8.11, and 8.10 as specified in the IBM security advisory at https://www.ibm.com/support/pages/node/7268028. The patch configures the Secure attribute on all authorization tokens and session cookies, restricting transmission to HTTPS-only connections. In the interim, organizations should enforce HTTPS-only communication policies, disable HTTP access to Maximo Application Suite endpoints, and implement network controls to prevent unencrypted access. Additionally, user education emphasizing the dangers of clicking HTTP links (especially for authentication or sensitive operations) and the use of HSTS headers can reduce attack surface.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18068
GHSA-7cvp-jxjh-qvvf