What is the CVSS score of CVE-2026-21790?

CVE-2026-21790 has a CVSS 3.1 base score of 6.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Traveler are affected by CVE-2026-21790?

Organizations using HCL Traveler should be aware of moderate risk from CVE-2026-21790 rated CVSS 6.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Traveler CVE-2026-21790

EUVD-2026-15002 MEDIUM

Origin Validation Error (CWE-346)

2026-03-24 HCL

GHSA-mr94-p7f2-xw23

Authentication Bypass Traveler

6.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

14.5.1.0

EUVD ID Assigned

Mar 24, 2026 - 20:31 euvd

EUVD-2026-15002

Analysis Generated

Mar 24, 2026 - 20:31 vuln.today

CVE Published

Mar 24, 2026 - 20:04 nvd

MEDIUM 6.3

DescriptionCVE.org

HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks.

AnalysisAI

HCL Traveler contains a weak default HTTP header validation vulnerability (CWE-346) that allows authenticated attackers to bypass additional authentication checks and gain unauthorized access to sensitive functionality. The vulnerability affects HCL Traveler across multiple versions and requires only network access and valid credentials to exploit. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The risk profile reveals a meaningful but not critical vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated Traveler user whose credentials have been compromised or phished is leveraged by an attacker to bypass additional authentication checks. The attacker crafts HTTP requests with manipulated headers (e.g., spoofed Origin or custom authentication headers) that the vulnerable Traveler instance fails to validate properly, allowing them to access administrative functions or sensitive data without completing secondary authentication (e.g., challenge-response, second factor). …
Remediation	Organizations must upgrade HCL Traveler to the patched version specified in HCL's security advisory KB0129139 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-21790 vulnerability details – vuln.today

Back