CVE-2025-36359
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
The vulnerability in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration. This allows an authenticated user to impersonate another user on the system.
Risk Assessment
The risk involves potential session hijacking, leading to unauthorized access to data and operations within the DevOps system.
Recommendation
It is recommended to immediately update to a version that fixes session invalidation and implement mechanisms enforcing re-authentication after session expiration.
Original NVD description (English source)
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.

