Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible API requires only low-privilege authentication; disclosure is read-only with no integrity or availability impact, and scope does not extend beyond the vulnerable system.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
AnalysisAI
Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with at minimum low-privilege access to the HCL DevOps Deploy / HCL Launch platform (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) scores 6.5, reflecting low-complexity network exploitation by any authenticated user with no interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid low-privilege credentials - for example, a developer account or contractor with basic deployment access - authenticates to the HCL DevOps Deploy API and issues standard API requests to configuration or environment endpoints. The API responses include sensitive values such as stored credentials or API tokens for connected infrastructure. … |
| Remediation | Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131697 for patched versions and apply the vendor-released fix immediately; exact fix version numbers are not independently confirmed from public data and must be obtained from the advisory directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hcl Devops Deploy Hcl Launch
View allSensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in app
HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42555
GHSA-cx4j-m7pg-57q2