CVE-2026-4820 PUBLISHED

IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag

Assigner: ibm
Reserved: 25.03.2026 Published: 01.04.2026 Updated: 02.04.2026

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	Maximo Application Suite
Versions	affected from 9.1.0 to 10.6.5.0 (incl.) Version 9.0 is affected Version 8.11.0 is affected Version 8.10 is affected

Solutions

Remediated Product(s)Version(s)IBM Maximo Application Suite9.1.8IBM Maximo Application Suite9.0.19IBM Maximo Application Suite8.11.30IBM Maximo Application Suite8.10.33

References

https://www.ibm.com/support/pages/node/7268028

Problem Types

CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE