IBM DevOps Automation 1.0.1 & Loop 1.0.2 Session ID Expiration Bypass
CVE-2025-36359 Published on June 30, 2026
IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
Vulnerability Analysis
CVE-2025-36359 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Products Associated with CVE-2025-36359
stack.watch emails you whenever new vulnerabilities are published in IBM Devops Automation or IBM Devops Loop. Just hit a watch button to start following.
Affected Versions
IBM DevOps Automation:- Version 1.0.1 is affected.
- Version 1.0.2 is affected.