Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2025-36359: IBM DevOps Session Hijacking Vulnerability (CVSS 8.1)
CVE-2025-36359: IBM DevOps Session Hijacking Vulnerability (CVSS 8.1)
SECURITYHIGHCVE-2025-36359

CVE-2025-36359: IBM DevOps Session Hijacking Vulnerability (CVSS 8.1)

IBM DevOps Automation and IBM DevOps Loop fail to invalidate session IDs after expiration, allowing authenticated attackers to impersonate other users via...

Dylan H.

Security Team

July 1, 2026
3 min read

Affected Products

  • IBM DevOps Automation 1.0.1
  • IBM DevOps Loop 1.0.2

Overview

CVE-2025-36359 is a HIGH-severity session management flaw (CVSS v3.1 score: 8.1) disclosed on June 30, 2026, affecting IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2. The vulnerability stems from CWE-613 (Insufficient Session Expiration) — both products fail to properly invalidate session IDs once they expire, leaving stale authentication tokens usable by malicious actors.

Technical Details

The CVSS vector — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N — tells the full story:

MetricValueMeaning
Attack VectorNetworkRemotely exploitable
Attack ComplexityLowNo specialized conditions required
Privileges RequiredLowValid credentials needed (any user)
User InteractionNoneFully automated exploitation
ConfidentialityHighFull data exposure possible
IntegrityHighData modification possible
AvailabilityNoneService uptime unaffected

An authenticated attacker who obtains a stale session token — through network interception, log access, browser forensics, or session fixation — can reuse it to authenticate as a different user even after the legitimate session should have expired. This enables full account takeover of any user whose token was captured.

Root Cause

The root cause is CWE-613 (Insufficient Session Expiration). Both IBM DevOps Automation and IBM DevOps Loop do not implement server-side session invalidation on expiry. When a session's timeout window passes, the server-side record is not destroyed, leaving the token accepted by the application backend indefinitely or until a server restart.

Proper mitigation requires server-side session tracking with explicit expiration enforcement — not just client-side cookie expiry.

Affected Products

  • IBM DevOps Automation version 1.0.1
  • IBM DevOps Loop version 1.0.2

IBM DevOps Automation is an enterprise workflow automation platform. IBM DevOps Loop integrates continuous feedback loops across development pipelines. Both products typically operate in collaborative, multi-user environments where session isolation between users is a critical security requirement.

Impact

Successful exploitation allows an attacker with low-privilege credentials to:

  • Impersonate any other user on the system
  • Access that user's data, pipeline configurations, and automation artifacts
  • Modify DevOps workflows, source repositories, or deployment pipelines under another user's identity
  • Potentially pivot to infrastructure with elevated privileges if impersonated users hold admin roles

Mitigation

IBM published remediation guidance in advisory IBM Security Advisory 7277970. Affected organizations should:

  1. Apply IBM's patch for both IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 immediately
  2. Audit active sessions for any unauthorized activity prior to patching
  3. Force-invalidate all existing sessions after applying the fix
  4. Implement session timeout monitoring at the network layer as a compensating control
  5. Review logs for suspicious reuse of expired session tokens

References

  • NVD Entry — CVE-2025-36359
  • IBM Security Advisory 7277970
  • CWE-613: Insufficient Session Expiration
#CVE#NVD#Vulnerability#IBM#Session Management#CWE-613

Related Articles

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-49814: Dell PowerProtect Data Domain OS Command Injection

A high-severity OS command injection vulnerability in Dell PowerProtect Data Domain allows authenticated remote attackers to execute arbitrary commands...

3 min read
Back to all Security Alerts