Race Condition Vulnerability in IBM UrbanCode Deploy and DevOps Deploy
CVE-2025-36360

5MEDIUM

Key Information:

Vendor: IBM
Status: Ucd - IBM Urbancode Deploy; Ucd - IBM Devops Deploy
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-36360?

IBM UrbanCode Deploy and IBM DevOps Deploy are affected by a race condition in the enforcement of client-IP binding for HTTP sessions. This flaw allows a session to be temporarily reused from a different IP address before invalidation can be executed. Such a scenario could permit unauthorized access to sensitive resources under specific network conditions, highlighting the importance of timely patching and proper session management to mitigate potential risks.

Affected Version(s)

UCD - IBM DevOps Deploy 8.0 <= 8.0.1.10

UCD - IBM DevOps Deploy 8.1 <= 8.1.2.3

UCD - IBM UrbanCode Deploy 7.1 <= 7.1.2.27

References

https://www.ibm.com/support/pages/node/7254661

vendor-advisorypatch

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Apr 15, 2025

JSON