CVE-2025-36359 PUBLISHED

IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.

Assigner: ibm
Reserved: 15.04.2025 Published: 30.06.2026 Updated: 01.07.2026

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Product Status

Vendor IBM
Product DevOps Automation
Versions
  • Version 1.0.1 is affected
Vendor IBM
Product DevOps Loop
Versions
  • Version 1.0.2 is affected

Solutions

IBM strongly recommends addressing the vulnerability now by updating to IBM DevOps Loop 1.0.3 https://www.ibm.com/docs/en/devops-loop/1.0.3

Credits

  • Sunil Dandamudi (HCL Software) finder

References

Problem Types

  • CWE-613 Insufficient Session Expiration CWE