Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Forced browsing requires no user interaction, so UI:N is more accurate; all other metrics match the described network-accessible, low-privilege, limited-impact profile.
Primary rating from Vendor (hcl).
CVSS VectorVendor: hcl
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality (Forced Browsing) vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints.
AnalysisAI
Forced browsing vulnerability in HCL DevOps Loop allows authenticated low-privileged users to access restricted administrative endpoints by directly navigating to protected URLs without proper authorization enforcement. The application fails to validate that the requesting user holds sufficient privileges before serving administrative responses, enabling unauthorized access to admin functionality over the network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid low-privileged authenticated account within HCL DevOps Loop - unauthenticated external attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 4.6 (Medium) reflects a constrained but real risk: PR:L requires the attacker to hold at least a low-privileged authenticated account, narrowing the threat surface to insider threats or compromised user credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged HCL DevOps Loop user who discovers or enumerates administrative endpoint URLs - through documentation, JavaScript source review, or path guessing - navigates directly to those URLs without being redirected or blocked. The application serves the administrative response without verifying the user's role, granting unauthorized visibility into or control over admin-level configuration or data. … |
| Remediation | Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0132296 for the patched release version and upgrade instructions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-425 – Direct Request ('Forced Browsing')
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45230
GHSA-5ffw-6qxc-pqrw