{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21790", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2026-01-05T16:08:02.277Z", "datePublished": "2026-03-24T20:04:28.585Z", "dateUpdated": "2026-03-24T20:28:10.662Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-24T20:04:28.585Z"}, "title": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability", "datePublic": "2026-03-24T19:49:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error", "type": "CWE"}]}], "affected": [{"vendor": "HCLSoftware", "product": "Traveler", "versions": [{"status": "affected", "version": "< 14.5.1.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks."}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T20:27:58.531587Z", "id": "CVE-2026-21790", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T20:28:10.662Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21790", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T20:27:58.531587Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T20:28:03.392Z"}}], "cna": {"title": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCLSoftware", "product": "Traveler", "versions": [{"status": "affected", "version": "< 14.5.1.0"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-24T19:49:00.000Z", "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks.", "supportingMedia": [{"type": "text/html", "value": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-24T20:04:28.585Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21790", "state": "PUBLISHED", "dateUpdated": "2026-03-24T20:28:10.662Z", "dateReserved": "2026-01-05T16:08:02.277Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-03-24T20:04:28.585Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks."}], "id": "CVE-2026-21790", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2026-03-24T21:16:26.927", "references": [{"source": "psirt@hcl.com", "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,14.5.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Traveler", "source": "cna", "vendor": "HCLSoftware"}, "product": "traveler", "vendor": "hcltech"}], "analysis": {"en": {"generated_at": "2026-03-24T21:25:04.877492+00:00", "value": {"mitigation_remediation": ["Download and install the latest HCL Traveler security update that addresses weak HTTP header validation.", "Test the applied patch in a controlled environment before redeploying to production.", "If no patch is yet available, restrict inbound traffic to the Traveler service or apply IP\u2011based access controls to limit exposure.", "Continuously monitor HCL Software advisories for an official fix and apply it as soon as it is released."], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects HCL Software\u2019s Traveler product. No specific version numbers are provided in the CNA data, so all deployed instances should be evaluated for the presence of this weak header validation behavior.", "description_and_impact": "HCL Traveler contains a weakness in its default validation of HTTP headers that can allow an attacker to bypass additional authentication checks. The flaw does not grant direct code execution but can lead to unauthorized access to the application, exposing data or services that normally would require proper authentication. The vulnerability is a classic case of insufficient input validation leading to a privilege escalation within the application\u2019s authentication flow.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet widely exploited. The likely attack vector involves remote HTTP requests, leveraging the weak header checks to bypass authentication. Because the flaw can be triggered over the network, it poses a risk to any publicly reachable Traveler installation."}}}}, "created": "2026-03-25T11:46:09.232184+00:00", "updated": "2026-03-25T20:57:34.871894+00:00", "vendors": ["hcltech", "hcltech$PRODUCT$traveler"]}