CVE-2026-4820

MEDIUM

IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag

Title source: cna

Description

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

References (1)

[Vendor Advisory] https://www.ibm.com/support/pages/node/7268028

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE

CWE-319 CWE-614

Status published

Products (5)

IBM/Maximo Application Suite 8.10

IBM/Maximo Application Suite 8.11.0

IBM/Maximo Application Suite 9.0

IBM/Maximo Application Suite 9.1.0 - 10.6.5.0

ibm/maximo_application_suite 8.10 - 8.10.33

Published Apr 01, 2026

Tracked Since Apr 02, 2026