CVE-2026-4820— IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4820
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag
Source: NVD (National Vulnerability Database)
Vulnerability Description
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTPS会话中未设置’Secure’属性的敏感Cookie
Source: NVD (National Vulnerability Database)
Vulnerability Title
IBM Maximo Application Suite 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
IBM Maximo Application Suite是美国国际商业机器(IBM)公司的一个为智能资产管理、监控、维护、计算机视觉、安全性和可靠性提供的单一平台。 IBM Maximo Application Suite 9.1版本、9.0版本、8.11版本和8.10版本存在安全漏洞,该漏洞源于未在授权令牌或会话Cookie上设置安全属性,可能导致攻击者通过发送http链接或植入链接获取Cookie值。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| IBM | Maximo Application Suite | 9.1.0 ~ 10.6.5.0 | cpe:2.3:a:ibm:maximo_application_suite:9.1:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-4820
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4820
Please Login to view more intelligence information
Same Patch Batch · IBM · 2026-04-01 · 16 CVEs total
| CVE-2026-4101 | 8.1 HIGH | Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Ve |
| CVE-2025-13855 | 7.6 HIGH | IBM Storage Protect Server is affected by a vulnerability that could allow authenticated u |
| CVE-2026-1345 | 7.3 HIGH | Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Ve |
| CVE-2025-36375 | 6.5 MEDIUM | IBM DataPower Gateway vulnerable to CSRF |
| CVE-2025-66483 | 6.3 MEDIUM | Multiple vulnerabilities have been addressed in IBM Aspera Shares |
| CVE-2025-13916 | 5.9 MEDIUM | Multiple vulnerabilities have been addressed in IBM Aspera Shares |
| CVE-2025-66484 | 5.5 MEDIUM | Multiple vulnerabilities have been addressed in IBM Aspera Shares |
| CVE-2025-66485 | 5.4 MEDIUM | Multiple vulnerabilities have been addressed in IBM Aspera Shares |
| CVE-2026-4364 | 5.4 MEDIUM | Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Ve |
| CVE-2026-1491 | 5.3 MEDIUM | Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Ve |
| CVE-2026-2862 | 5.3 MEDIUM | Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Ve |
| CVE-2025-66486 | 4.8 MEDIUM | Multiple vulnerabilities have been addressed in IBM Aspera Shares |
| CVE-2025-36373 | 4.1 MEDIUM | Incorrect administrative access control in IBM DataPower Gateway |
| CVE-2026-2475 | 3.1 LOW | Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Ve |
| CVE-2025-66487 | 2.7 LOW | Multiple vulnerabilities have been addressed in IBM Aspera Shares |
IV. Related Vulnerabilities
Same product: Maximo Application Suite
Same vendor: IBM
- CVE-2026-1577
IBM® Db2® is vulnerable to a denial of service with a specia - CVE-2025-36122
IBM® Db2® is vulnerable to a denial of service with a specia - CVE-2025-14688
IBM® Db2® is vulnerable to a denial of service when fetching - CVE-2026-2311
IBM i is affected by a privilege escalation vulnerability in - CVE-2025-36180
Inadequate Pod Communication Restrictions, affects watsonx.d
Same weakness: CWE-614
- CVE-2026-22617
Eaton Intelligent Power Protector 安全漏洞 - CVE-2026-32745
JetBrains Datalore 安全漏洞 - CVE-2026-1697
Use of unsecure cookies for GraphicalData web service and We - CVE-2024-58317
Kentico Xperience <= 13.0.164 Cookie Security Configuration - CVE-2025-36249
IBM Jazz for Service Management is vulnerable to "filter" co
V. Comments for CVE-2026-4820
No comments yet