Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Network-reachable, no credentials needed, but UI:R retained consistent with vendor framing; limited C/I/A impact reflects partial endpoint exposure.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
HCL DFXServer is affected by a Missing Access Control vulnerability. This vulnerability states that certain endpoints are accessible without any form of authentication in another browser. This allows any network user to invoke these APIs and interact with the application without verification of their identity or authorization level.
AnalysisAI
Unauthenticated API access in HCL DFXServer exposes application endpoints to any network-reachable user without identity verification. The missing access control allows interactions with protected functionality - including read and write operations - from a browser or client that holds no valid session or credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network access to the HCL DFXServer instance - no authentication, no session cookie, and no special privileges are required per the PR:N CVSS metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.3 (Medium) is derived from a network-reachable, low-complexity, no-privileges-required attack with user interaction (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the same network as an HCL DFXServer instance opens a browser with no active session and directly invokes an unprotected API endpoint - potentially by observing endpoint paths through documentation, traffic inspection, or error responses. The server processes the request without verifying the caller's identity, returning application data or performing state-changing operations. … |
| Remediation | Apply the patch or configuration fix detailed in HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131782 - the exact fixed version is not independently confirmed from available data, so the advisory is the authoritative source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in HCL DFXServer allows remote unauthenticated attackers to reach specific API endpoints directly
Authentication bypass in HCL DFXServer lets an unauthenticated remote attacker intercept and tamper with the server's au
HCL DFXServer permits client connections over plaintext HTTP, exposing all transmitted data to interception by any attac
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44906
GHSA-3rj8-qrpc-rrvr