CVE-2026-4096
Description
IBM DevOps Plan from 3.0.0 to 3.0.6 is vulnerable to HTTP header injection via HOST headers, enabling cross-site scripting, cache poisoning, or session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM DevOps Plan from 3.0.0 to 3.0.6 is vulnerable to HTTP header injection via HOST headers, enabling cross-site scripting, cache poisoning, or session hijacking.
Vulnerability
IBM DevOps Plan versions 3.0.0 through 3.0.6 are affected by an HTTP header injection vulnerability (CWE-644) caused by improper validation of input in the HOST headers [1]. This allows an attacker to inject arbitrary HTTP headers into responses handled by the application.
Exploitation
An attacker can send a specially crafted HTTP request with a malicious HOST header to the vulnerable IBM DevOps Plan server, without requiring authentication or user interaction [1]. The server does not properly neutralize the header, enabling the injection.
Impact
Successful exploitation could lead to various attacks including cross-site scripting (XSS), cache poisoning, or session hijacking [1]. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) indicates low confidentiality and integrity impact with no availability impact.
Mitigation
IBM has released version 3.0.7 which addresses the vulnerability [1]. No workarounds are available. Users should upgrade to 3.0.7 or later. The vulnerability was published on 03 June 2026.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 3.0.0 - 3.0.6
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.