Skip to main content

HCL DevOps Deploy CVE-2026-56460

| EUVDEUVD-2026-42555 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-09 HCL GHSA-cx4j-m7pg-57q2
6.5
CVSS 3.1 · Vendor: HCL
Share

Severity by source

Vendor (HCL) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible API requires only low-privilege authentication; disclosure is read-only with no integrity or availability impact, and scope does not extend beyond the vulnerable system.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 10:11 vuln.today

DescriptionCVE.org

HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.

AnalysisAI

Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege platform credentials
Delivery
Authenticate to HCL DevOps Deploy REST API
Exploit
Query configuration or environment API endpoints
Execution
Extract secrets and credentials from API response body
Impact
Use exposed credentials to authenticate to downstream infrastructure

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at minimum low-privilege access to the HCL DevOps Deploy / HCL Launch platform (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) scores 6.5, reflecting low-complexity network exploitation by any authenticated user with no interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid low-privilege credentials - for example, a developer account or contractor with basic deployment access - authenticates to the HCL DevOps Deploy API and issues standard API requests to configuration or environment endpoints. The API responses include sensitive values such as stored credentials or API tokens for connected infrastructure. …
Remediation Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131697 for patched versions and apply the vendor-released fix immediately; exact fix version numbers are not independently confirmed from public data and must be obtained from the advisory directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy