Skip to content
Threat Feed
high advisory

IBM Engineering AI Hub Information Disclosure via URL Session Tokens (CVE-2026-15322)

A remote attacker can exploit CVE-2026-15322 in IBM Engineering AI Hub versions 1.0.0, 1.1.0, and 1.2.0 to obtain sensitive session tokens exposed in URLs, potentially leading to unauthorized access and information disclosure.

IBM Engineering AI Hub versions 1.0.0, 1.1.0, and 1.2.0 are affected by CVE-2026-15322, an information disclosure vulnerability (CWE-598) that allows a remote attacker to obtain sensitive session tokens. This flaw stems from the application's practice of embedding session tokens directly within URL query strings. Attackers can exploit this by intercepting network traffic, accessing web server logs, or leveraging browser history and referrer headers to capture these tokens. Successful exploitation could grant the attacker unauthorized access to the IBM Engineering AI Hub by hijacking legitimate user sessions, leading to the exposure and potential manipulation of sensitive data. This vulnerability affects core functionality of the AI Hub, which is designed for critical engineering tasks.

Attack Chain

  1. A legitimate user interacts with a vulnerable instance of IBM Engineering AI Hub (versions 1.0.0, 1.1.0, or 1.2.0).
  2. The IBM Engineering AI Hub application constructs HTTP GET requests that inadvertently embed sensitive session tokens directly into the URL query parameters.
  3. These HTTP requests containing the session token are transmitted over the network and may be logged by intermediate network devices, web server logs, or stored in browser history.
  4. A remote attacker monitors network traffic, or gains access to web server logs, browser history, or referrer logs where the sensitive URLs are recorded.
  5. The attacker extracts the session token from the exposed URL.
  6. The attacker then uses the captured session token to hijack the legitimate user's active session.
  7. This session hijacking grants the attacker unauthorized access to the IBM Engineering AI Hub with the privileges of the impersonated user.
  8. The attacker can now access, view, or potentially manipulate sensitive information or functionalities within the compromised application.

Impact

The successful exploitation of CVE-2026-15322 can lead to severe information disclosure and unauthorized access. Attackers can gain complete control over a user's session within the IBM Engineering AI Hub, allowing them to access sensitive engineering data, intellectual property, or configurations. This could result in data theft, data tampering, or further compromise of integrated systems. While the number of victims or specific sectors are not detailed in the advisory, any organization utilizing the affected versions of IBM Engineering AI Hub is at risk, particularly those handling confidential design, development, or AI-related data.

Recommendation

  • Patch CVE-2026-15322 immediately by upgrading IBM Engineering AI Hub to a fixed version as specified by IBM in their security bulletin referenced at https://www.ibm.com/support/pages/node/7279964.
  • Review application architecture and development practices to avoid the inclusion of sensitive information, such as session tokens, directly in URLs (CWE-598).
  • Implement secure session management practices, including using HTTP-only and secure flags for cookies, and ensuring session tokens are passed via HTTP headers or POST bodies rather than URLs.
  • Monitor network traffic for unusual or unencrypted transmission of session tokens in URLs originating from IBM Engineering AI Hub instances.