Skip to main content

HCL DevOps Deploy CVE-2026-56457

| EUVDEUVD-2026-40091 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-29 HCL GHSA-q6fr-25ph-fpvf
4.3
CVSS 3.1 · Vendor: HCL
Share

Severity by source

Vendor (HCL) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Log access is network-reachable via web UI (AV:N), requires only a low-privilege user account (PR:L), and confidentiality impact is partial (C:L) bounded to values present in accessible pipeline logs.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:21 vuln.today

DescriptionCVE.org

HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.

AnalysisAI

HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to HCL DevOps Deploy with low-privilege credentials
Delivery
Navigate to step output logs for a target pipeline execution
Exploit
Identify sensitive values exposed in plaintext log entries
Execution
Extract credentials or tokens from log content
Impact
Authenticate against downstream systems using extracted secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires an active authenticated session with at minimum low-privilege access to HCL DevOps Deploy or HCL Launch (PR:L per CVSS), and permission to view step output logs for at least one pipeline execution that processed sensitive values. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is well-calibrated to the actual risk: exploitation requires authenticated access (PR:L), ruling out anonymous exploitation, and impact is bounded to partial confidentiality (C:L) - limited to what sensitive values appear in accessible logs rather than systemic data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated developer or operator with low-level access browses step output logs for a recently executed deployment pipeline that processes sensitive infrastructure credentials or API tokens. Because those values are not masked in the log output, the attacker reads them in plaintext directly from the HCL DevOps Deploy web UI, then uses the extracted credentials to authenticate against downstream systems such as cloud APIs, databases, or container registries. …
Remediation Consult the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131694 to identify the specific patched version; exact fix version numbers are not available in the current input data and should not be inferred. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy