CVE-2026-35147

HCL · DFXServer

HCL DFXServer is vulnerable to a broken authentication flaw, allowing unauthenticated attackers to bypass security controls via direct API access.

Executive summary

An unauthenticated authorization bypass vulnerability in HCL DFXServer permits unauthorized API access, posing a significant risk to data confidentiality.

Vulnerability

This vulnerability is an authorization bypass (CWE-639) occurring within the API management interface. The flaw allows unauthenticated remote attackers to interact with protected API endpoints by manipulating user-controlled keys.

Business impact

The ability for an unauthenticated actor to interact with the API can lead to unauthorized data exposure and potential manipulation of internal server functions. Given the CVSS score of 8.2, this vulnerability represents a high risk to business operations, as it could facilitate the exfiltration of sensitive information or the unauthorized modification of system data.

Remediation

Immediate Action: Upgrade to a version of HCL DFXServer that addresses this vulnerability, as specified in the HCL support documentation.

Proactive Monitoring: Review API access logs for anomalous request patterns or unauthorized authentication attempts directed at sensitive endpoints.

Compensating Controls: Implement strict network access controls or a Web Application Firewall (WAF) to restrict direct API access to known, trusted IP addresses until the patch is applied.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

This vulnerability presents a severe risk due to the ease of exploitation over the network without requiring authentication. Organizations using HCL DFXServer must prioritize upgrading to the latest secure version immediately to close this authorization gap and prevent unauthorized system access.