Back to overview

CVE-2026-35147

HIGH
8.2
CVSS 3.1
Description
HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user's authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.

Metadata

CVE ID
CVE-2026-35147
State
PUBLISHED
Assigner
HCL
Reserved
2026-04-01 16:32 UTC
Published
2026-07-16 11:04 UTC
Last updated
2026-07-16 11:56 UTC
Primary CWE
CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product
HCL Software / DFXServer
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
HCL Software DFXServer version 2.5 and below
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Back to overview