Overview
CVE-2025-36359 is a HIGH-severity session management flaw (CVSS v3.1 score: 8.1) disclosed on June 30, 2026, affecting IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2. The vulnerability stems from CWE-613 (Insufficient Session Expiration) — both products fail to properly invalidate session IDs once they expire, leaving stale authentication tokens usable by malicious actors.
Technical Details
The CVSS vector — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N — tells the full story:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Remotely exploitable |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | Low | Valid credentials needed (any user) |
| User Interaction | None | Fully automated exploitation |
| Confidentiality | High | Full data exposure possible |
| Integrity | High | Data modification possible |
| Availability | None | Service uptime unaffected |
An authenticated attacker who obtains a stale session token — through network interception, log access, browser forensics, or session fixation — can reuse it to authenticate as a different user even after the legitimate session should have expired. This enables full account takeover of any user whose token was captured.
Root Cause
The root cause is CWE-613 (Insufficient Session Expiration). Both IBM DevOps Automation and IBM DevOps Loop do not implement server-side session invalidation on expiry. When a session's timeout window passes, the server-side record is not destroyed, leaving the token accepted by the application backend indefinitely or until a server restart.
Proper mitigation requires server-side session tracking with explicit expiration enforcement — not just client-side cookie expiry.
Affected Products
- IBM DevOps Automation version 1.0.1
- IBM DevOps Loop version 1.0.2
IBM DevOps Automation is an enterprise workflow automation platform. IBM DevOps Loop integrates continuous feedback loops across development pipelines. Both products typically operate in collaborative, multi-user environments where session isolation between users is a critical security requirement.
Impact
Successful exploitation allows an attacker with low-privilege credentials to:
- Impersonate any other user on the system
- Access that user's data, pipeline configurations, and automation artifacts
- Modify DevOps workflows, source repositories, or deployment pipelines under another user's identity
- Potentially pivot to infrastructure with elevated privileges if impersonated users hold admin roles
Mitigation
IBM published remediation guidance in advisory IBM Security Advisory 7277970. Affected organizations should:
- Apply IBM's patch for both IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 immediately
- Audit active sessions for any unauthorized activity prior to patching
- Force-invalidate all existing sessions after applying the fix
- Implement session timeout monitoring at the network layer as a compensating control
- Review logs for suspicious reuse of expired session tokens