How is CVE-2026-21837 exploited?

Network reachability (required): The attacker must reach the Digital Asset Management API over the network; the service must be exposed to an adjacent or public network segment. Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative credentials to reach the vulnerable API endpoint. Victim interaction (not-required): No user action is needed; the attacker sends a crafted request directly to the API without involving any other party. Attack complexity (info): Exploit reliability is high and no special environmental conditions or race conditions are required to trigger the command injection.

What is the impact of CVE-2026-21837?

Executes arbitrary OS commands under the application process account, which the vendor notes typically leads to complete system takeover. Reads, exfiltrates, or destroys all files and data accessible to the application user on the host filesystem. Modifies or deletes stored digital assets and configuration data managed by the Digital Asset Management API. Disrupts availability of the Digital Experience platform by terminating processes or corrupting runtime state.

Back to search

HIGHCVE-2026-21837Published 2026-06-05Modified 2026-06-05CNA HCL

CVE-2026-21837: HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API

HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

OS command injection in HCL Digital Experience's Digital Asset Management API allows a network-accessible attacker with a low-privilege account to execute arbitrary operating system commands. The vulnerability is reachable over the network and requires no victim interaction, with the injected commands running under the privileges of the application process. Successful exploitation gives the attacker full control over the host system and access to all data it holds. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment HCL publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that package HCL Digital Experience 9.5 components.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the published v4.0 vector and can weight it further against each customer environment's compliance policy, routing alerts to the appropriate team inbox based on configured ownership rules.

Available

Patch

No fix version has been published by HCL for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, that will trigger a regression run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Digital Asset Management API over the network; the service must be exposed to an adjacent or public network segment.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials to reach the vulnerable API endpoint.
Victim interactionNot required
No user action is needed; the attacker sends a crafted request directly to the API without involving any other party.
Attack complexityDetail
Exploit reliability is high and no special environmental conditions or race conditions are required to trigger the command injection.

Blast Radius

Executes arbitrary OS commands under the application process account, which the vendor notes typically leads to complete system takeover.
Reads, exfiltrates, or destroys all files and data accessible to the application user on the host filesystem.
Modifies or deletes stored digital assets and configuration data managed by the Digital Asset Management API.
Disrupts availability of the Digital Experience platform by terminating processes or corrupting runtime state.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all images in customer registries and pipelines, including those packaging HCL Digital Experience 9.5, using the published CVSS 8.7 HIGH rating to prioritize alerting. Because no upstream fix exists at this time, HarborGuard monitors the HCL advisory on every ingest cycle. The moment HCL publishes a patched version, a rebuilt image becomes available; for customers with auto-remediation enabled, this triggers an automated rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict access to the Digital Asset Management API to known trusted clients only, egress filtering on the application container to limit the reach of any injected commands, and feature-flag gating to disable the affected API endpoint if the feature is not operationally required.

See how HarborGuard automates this

Affected packages

HCLSoftware / Digital Experience
9.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

support.hcl-software.com

Metrics

Get notified