Skip to main content

HCL DevOps Loop CVE-2026-21760

| EUVDEUVD-2026-45230 MEDIUM
Direct Request ('Forced Browsing') (CWE-425)
2026-07-17 psirt@hcl.com GHSA-5ffw-6qxc-pqrw
4.6
CVSS 3.1 · Vendor: hcl
Share

Severity by source

Vendor (hcl) PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Forced browsing requires no user interaction, so UI:N is more accurate; all other metrics match the described network-accessible, low-privilege, limited-impact profile.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hcl).

CVSS VectorVendor: hcl

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 17:30 vuln.today

DescriptionCVE.org

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality (Forced Browsing) vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints.

AnalysisAI

Forced browsing vulnerability in HCL DevOps Loop allows authenticated low-privileged users to access restricted administrative endpoints by directly navigating to protected URLs without proper authorization enforcement. The application fails to validate that the requesting user holds sufficient privileges before serving administrative responses, enabling unauthorized access to admin functionality over the network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Enumerate or guess admin endpoint URLs
Exploit
Send direct HTTP request to admin path
Execution
Application skips authorization check
Persist
Access restricted admin functionality
Impact
Read sensitive config or modify admin-level settings

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid low-privileged authenticated account within HCL DevOps Loop - unauthenticated external attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 4.6 (Medium) reflects a constrained but real risk: PR:L requires the attacker to hold at least a low-privileged authenticated account, narrowing the threat surface to insider threats or compromised user credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged HCL DevOps Loop user who discovers or enumerates administrative endpoint URLs - through documentation, JavaScript source review, or path guessing - navigates directly to those URLs without being redirected or blocked. The application serves the administrative response without verifying the user's role, granting unauthorized visibility into or control over admin-level configuration or data. …
Remediation Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0132296 for the patched release version and upgrade instructions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy