CVE-2025-36082 is a medium-severity vulnerability affecting IBM OpenPages versions 9.0 and 9.1. The vulnerability is categorized under CWE-525, which involves information exposure through browser caching. Specifically, IBM OpenPages allows web page cache data to be stored locally on the user's system. This cached data can be accessed and read by other users on the same system, leading to unintended information disclosure. The vulnerability does not require user interaction or authentication to be exploited, but it does require local access (AV:L) to the affected system. The CVSS v3.1 base score is 4.0, reflecting a limited impact primarily on confidentiality, with no impact on integrity or availability. The vulnerability arises because sensitive information rendered by the OpenPages web application is cached by the browser and stored in a location accessible to other users sharing the same machine, such as in multi-user environments or shared workstations. This could expose sensitive governance, risk, and compliance data managed within OpenPages to unauthorized local users. No known exploits are reported in the wild, and no patches have been linked yet, indicating that remediation may still be pending or under development. The vulnerability highlights a design or configuration issue in how OpenPages handles caching headers or browser cache control directives, allowing sensitive content to persist beyond the intended session scope.

For European organizations using IBM OpenPages 9.0 or 9.1, this vulnerability poses a risk of local information leakage. Since OpenPages is a governance, risk, and compliance (GRC) platform, the data exposed could include sensitive regulatory compliance information, audit results, risk assessments, or internal policies. In environments where multiple users share workstations or virtual desktops, such as in large enterprises, consulting firms, or government agencies, unauthorized users could access cached data from previous sessions, potentially leading to data confidentiality breaches. This could undermine compliance with European data protection regulations such as GDPR, especially if personal or sensitive data is involved. While the vulnerability does not allow remote exploitation or system compromise, the exposure of sensitive information could facilitate insider threats or lateral movement within an organization. The impact is more pronounced in sectors with high regulatory scrutiny, including finance, healthcare, and public administration. However, organizations with strict endpoint security and user session isolation may mitigate the risk somewhat. The absence of known exploits reduces immediate risk but does not eliminate the need for proactive mitigation.

To mitigate CVE-2025-36082, European organizations should implement several targeted measures beyond generic advice: 1) Configure browsers used to access IBM OpenPages to disable caching of sensitive pages, using settings or extensions that enforce no-store or no-cache directives. 2) Implement strict HTTP cache-control headers on the OpenPages web server to prevent caching of sensitive content by browsers. 3) Enforce endpoint security policies that restrict shared use of workstations or virtual desktops, ensuring user sessions are isolated and local file access is controlled. 4) Regularly clear browser caches and temporary internet files on shared systems, ideally automated via scripts or endpoint management tools. 5) Educate users about the risks of shared systems and the importance of logging out and closing browsers after sessions. 6) Monitor IBM for patches or updates addressing this vulnerability and apply them promptly once available. 7) Consider deploying OpenPages in environments with enhanced session isolation, such as dedicated virtual machines or containers per user. These steps collectively reduce the risk of local information exposure through browser caching.