Description
An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user lacking Master Operator privileges to retrieve site names, version information, and configuration variables from unprotected endpoints. The flaw arises from missing access controls and inadequate security headers, permitting visibility into internal data that should be restricted to privileged accounts.

Affected Systems

HCL Software’s BigFix WebUI is impacted. All deployments using this web interface are potentially vulnerable until an update that restores proper authorization is applied, as no specific version range is defined in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers require an authenticated session with non-privileged credentials and target endpoints that lack proper security headers to bypass privilege checks and access configuration data.

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for HCL BigFix WebUI that restores proper authorization checks
  • Restrict WebUI access to users with Master Operator privileges or enforce stricter role‑based controls
  • Configure HTTP security headers (e.g., X‑Frame‑Options, X‑Content‑Type‑Options, Content‑Security‑Policy) on vulnerable endpoints
  • If a patch is not yet available, limit network exposure of the WebUI to trusted IP ranges

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
Title HCL BigFix WebUI is affected by an improper authorization vulnerability
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-09T04:58:55.241Z

Reserved: 2026-04-14T05:56:25.354Z

Link: CVE-2025-15633

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T06:16:07.413

Modified: 2026-05-09T06:16:07.413

Link: CVE-2025-15633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T07:00:11Z

Weaknesses