CVE-2026-4820

CWE-614CWE-319Cleartext Transmission3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.0%
top 98.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM Maximo Application Suite
Timeline
PublishedApr 1

Description

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDibm/maximo_application_suite8.108.10.33+3
CVEListV5ibm/maximo_application_suite9.1.010.6.5.0+3

🔴Vulnerability Details

2
GHSA
GHSA-7cvp-jxjh-qvvf: IBM Maximo Application Suite 92026-04-01
CVEList
IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag2026-04-01
CVE-2026-4820 (MEDIUM CVSS 4.3) | IBM Maximo Application Suite 9.1 | cvebase.io