Skip to main content

HCL DevOps Deploy CVE-2026-56459

| EUVDEUVD-2026-42547 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-07-09 HCL GHSA-8r3w-82fq-gwgp
5.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (HCL) PRIMARY
MEDIUM
qualitative
NVD
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.2 MEDIUM

Local attack vector with no privileges required, consistent with world-readable log files; high confidentiality only, no integrity or availability impact.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 10, 2026 - 16:07 NVD
6.2 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jul 09, 2026 - 10:06 vuln.today

DescriptionNVD

HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.

AnalysisAI

Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in application log files to any local user who can read those files. Affected across four major release branches (7.3, 8.0, 8.1, and 8.2), the vulnerability stems from CWE-532, where the application writes sensitive material into logs without adequate sanitization or access restriction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local OS shell access
Delivery
Locate application log directory
Exploit
Read world-accessible log files
Execution
Extract sensitive credentials or tokens
Impact
Authenticate to downstream systems

Vulnerability AssessmentAI

Exploitation Local access to the operating system hosting HCL DevOps Deploy / HCL Launch is required; remote exploitation is not possible given AV:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.2 with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N correctly captures the local-only attack surface but flags a notable anomaly: PR:N (no privileges required) combined with AV:L implies the log files are world-readable by any authenticated OS user, not just privileged accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local OS user on the server hosting HCL DevOps Deploy - such as a developer, contractor, or compromised service account - reads application log files from the default log directory without requiring elevated privileges. The logs contain plaintext credentials, deployment tokens, or environment secrets written during pipeline execution, which the attacker then uses to pivot into downstream systems or cloud environments managed by the DevOps platform. …
Remediation Consult the HCL vendor knowledge base article KB0131696 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131696 for official patch guidance; no exact fixed version number is confirmed in the available intelligence data, so the specific upgrade target must be verified directly with HCL. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy