CVE-2026-35147
Received Received - Intake

Broken Authentication in HCL DFXServer via Direct API Access

Vulnerability report for CVE-2026-35147, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: HCL Software

Description

HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user's authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hcl dfxserver *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

HCL DFXServer has a Broken Authentication vulnerability where the application does not check if a user is authenticated when accessing certain API endpoints. This allows attackers to interact with these APIs and perform actions without providing valid credentials.

Detection Guidance

To detect this vulnerability, check for unauthenticated access to HCL DFXServer API endpoints. Monitor network traffic for requests to DFXServer APIs without valid session tokens or credentials. Inspect server logs for unusual API interactions from unknown sources.

Impact Analysis

An attacker could exploit this to perform unauthorized actions on the server, such as accessing sensitive data or modifying configurations, without needing to log in. This could lead to data breaches or system compromise.

Compliance Impact

This vulnerability could violate compliance requirements that mandate strict access controls and authentication, such as GDPR's data protection principles or HIPAA's safeguards for protected health information. Unauthorized access risks non-compliance.

Mitigation Strategies

Immediately restrict direct API access to authenticated users only. Review and update authentication mechanisms for all API endpoints. Implement proper session management and enforce strict access controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart