Description
Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.
Published: 2026-04-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Account Access via Brute‑Force Login
Action: Apply Patch
AI Analysis

Impact

Rate limiting for user logins is improperly enforced in HCL DevOps Velocity, allowing attackers to repeatedly attempt credentials. This flaw falls under credential misuse (CWE‑307) and can lead to unauthorized account access or service disruption. The CVSS score of 6.8 signals a moderate‑to‑high risk for a single system or broader deployment.

Affected Systems

All HCL Software DevOps Velocity installations prior to version 5.1.7 are vulnerable. The vendor has released a fix in 5.1.7; no additional version details are supplied, so all earlier releases should be considered affected.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that no mass exploitation is currently known. The exploitation vector is inferred to be remote through the web login interface, requiring no special privileges beyond access to the service. Although the risk is moderate, repeated brute‑force attempts could lead to account breaches or denial of service.

Generated by OpenCVE AI on April 13, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HCL DevOps Velocity to version 5.1.7 or later to apply the vendor fix.
  • If an immediate upgrade is not possible, configure additional rate limiting or account lockout policies at the application or infrastructure level.
  • Monitor login attempts and enforce monitoring for suspicious activity to detect potential brute‑force attempts.

Generated by OpenCVE AI on April 13, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Hclsoftware
Hclsoftware velocity
Vendors & Products Hclsoftware
Hclsoftware velocity

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.
Title HCL DevOps Velocity is susceptible to brute-force attacks
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Hclsoftware Velocity
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-04-13T17:11:10.727Z

Reserved: 2025-04-01T18:46:35.960Z

Link: CVE-2025-31991

cve-icon Vulnrichment

Updated: 2026-04-13T17:11:03.941Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T16:16:24.110

Modified: 2026-04-17T15:18:16.507

Link: CVE-2025-31991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:00Z

Weaknesses