IBM DevOps Automation 1.0.1 & Loop 1.0.2 Session ID Expiration Bypass
CVE-2025-36359 Published on June 30, 2026

IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-36359 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."


Products Associated with CVE-2025-36359

stack.watch emails you whenever new vulnerabilities are published in IBM Devops Automation or IBM Devops Loop. Just hit a watch button to start following.

 
 

Affected Versions

IBM DevOps Automation: IBM DevOps Loop: