CVE-2026-35148
Received Received - Intake

Missing Access Control in HCL DFXServer

Vulnerability report for CVE-2026-35148, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: HCL Software

Description

HCL DFXServer is affected by a Missing Access Control vulnerability. This vulnerability states that certain endpoints are accessible without any form of authentication in another browser. This allows any network user to invoke these APIs and interact with the application without verification of their identity or authorization level.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hcl dfxserver *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

HCL DFXServer has a Missing Access Control vulnerability where certain endpoints can be accessed without authentication in another browser. This lets any network user call these APIs and interact with the application without verifying their identity or permissions.

Detection Guidance

To detect this vulnerability, scan for open endpoints in HCL DFXServer that should require authentication but do not. Use network scanning tools like nmap to identify exposed services and check if unauthorized API endpoints are accessible. Example command: nmap -sV --script=http-enum <target_IP>. Review server logs for unusual API calls from unauthorized sources.

Impact Analysis

An attacker could exploit this to interact with the application, potentially accessing or modifying sensitive data, performing unauthorized actions, or disrupting services without needing valid credentials.

Compliance Impact

This vulnerability likely violates compliance requirements for data protection and access control, such as GDPR (data confidentiality) and HIPAA (unauthorized access risks), due to the lack of authentication for sensitive endpoints.

Mitigation Strategies

Implement authentication for all endpoints to prevent unauthorized access. Restrict network access to the DFXServer to trusted users only. Update to the latest patched version if available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart