Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Log access is network-reachable via web UI (AV:N), requires only a low-privilege user account (PR:L), and confidentiality impact is partial (C:L) bounded to values present in accessible pipeline logs.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.
AnalysisAI
HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated session with at minimum low-privilege access to HCL DevOps Deploy or HCL Launch (PR:L per CVSS), and permission to view step output logs for at least one pipeline execution that processed sensitive values. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is well-calibrated to the actual risk: exploitation requires authenticated access (PR:L), ruling out anonymous exploitation, and impact is bounded to partial confidentiality (C:L) - limited to what sensitive values appear in accessible logs rather than systemic data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated developer or operator with low-level access browses step output logs for a recently executed deployment pipeline that processes sensitive infrastructure credentials or API tokens. Because those values are not masked in the log output, the attacker reads them in plaintext directly from the HCL DevOps Deploy web UI, then uses the extracted credentials to authenticate against downstream systems such as cloud APIs, databases, or container registries. … |
| Remediation | Consult the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131694 to identify the specific patched version; exact fix version numbers are not available in the current input data and should not be inferred. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hcl Devops Deploy Hcl Launch
View allSensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecti
Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in app
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40091
GHSA-q6fr-25ph-fpvf