Description
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
Published: 2026-05-18
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw that permits an unauthorized user to update protected data. It is classified as CWE‑863. The description explicitly states that the flaw may allow a user without proper authorization to modify data in certain scenarios, potentially impacting data integrity and confidentiality. The impact is limited to the scope of data that can be updated via the affected interface, and does not, as described, allow arbitrary code execution or system compromise.

Affected Systems

The vulnerable product is HCLSoftware Connections. No specific versions are listed in the CNA data, so all released instances of the platform may be affected until a patch is deployed.

Risk and Exploitability

The CVSS score of 4.6 places the flaw in the moderate range. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that the likelihood of widespread exploitation is low at present. However, because the weakness permits privilege escalation to data modification, any publicly exposed or poorly segmented Connections deployment could be targeted. The attack vector is likely via the web interface or API where update operations are performed, and would require an attacker to reach the component that processes update requests.

Generated by OpenCVE AI on May 18, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security patch for HCL Connections as soon as it becomes available.
  • Configure the platform so that only users with explicit update permissions can perform data modifications; remove overly broad role assignments.
  • Audit and verify the access control settings on all Connections services, ensuring that update operations are protected by strict authentication and authorization checks.
  • If a documented workaround is provided by HCL (e.g., disabling the vulnerable update path), apply it as an interim measure until a patch is released.

Generated by OpenCVE AI on May 18, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
Title HCL Connections is vulnerable to broken access control
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-18T19:54:06.181Z

Reserved: 2026-01-05T16:08:02.277Z

Link: CVE-2026-21789

cve-icon Vulnrichment

Updated: 2026-05-18T19:53:56.847Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T20:16:37.607

Modified: 2026-05-18T20:23:31.147

Link: CVE-2026-21789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T20:30:05Z

Weaknesses