Skip to main content

HCL DFXServer EUVDEUVD-2026-44906

| CVE-2026-35148 MEDIUM
Improper Access Control (CWE-284)
2026-07-16 HCL GHSA-3rj8-qrpc-rrvr
6.3
CVSS 3.1 · Vendor: HCL
Share

Severity by source

Vendor (HCL) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
vuln.today AI
6.3 MEDIUM

Network-reachable, no credentials needed, but UI:R retained consistent with vendor framing; limited C/I/A impact reflects partial endpoint exposure.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 12:06 vuln.today

DescriptionCVE.org

HCL DFXServer is affected by a Missing Access Control vulnerability. This vulnerability states that certain endpoints are accessible without any form of authentication in another browser. This allows any network user to invoke these APIs and interact with the application without verification of their identity or authorization level.

AnalysisAI

Unauthenticated API access in HCL DFXServer exposes application endpoints to any network-reachable user without identity verification. The missing access control allows interactions with protected functionality - including read and write operations - from a browser or client that holds no valid session or credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach DFXServer API from network
Delivery
Identify unprotected endpoint paths
Exploit
Trigger victim interaction or directly invoke endpoint
Execution
Server processes request without auth check
Impact
Read or modify application data

Vulnerability AssessmentAI

Exploitation The attacker must have network access to the HCL DFXServer instance - no authentication, no session cookie, and no special privileges are required per the PR:N CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.3 (Medium) is derived from a network-reachable, low-complexity, no-privileges-required attack with user interaction (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the same network as an HCL DFXServer instance opens a browser with no active session and directly invokes an unprotected API endpoint - potentially by observing endpoint paths through documentation, traffic inspection, or error responses. The server processes the request without verifying the caller's identity, returning application data or performing state-changing operations. …
Remediation Apply the patch or configuration fix detailed in HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131782 - the exact fixed version is not independently confirmed from available data, so the advisory is the authoritative source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy