IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
IBM strongly recommends addressing the vulnerability now by updating to IBM DevOps Loop 1.0.3 https://www.ibm.com/docs/en/devops-loop/1.0.3