Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21826

CVE-2026-21826: HCL DX Compose Host Header Injection Flaw

CVE-2026-21826 is a Host header injection vulnerability in HCL Digital Experience Compose that enables attackers to manipulate headers and trigger unexpected behavior. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-21826 Overview

CVE-2026-21826 is a Host header injection vulnerability affecting HCL Digital Experience and HCL Digital Experience Compose. An attacker can manipulate the HTTP Host header to cause the application to behave in unexpected ways. The flaw is classified under [CWE-601] (URL Redirection to Untrusted Site / Open Redirect) and is exploitable over the network without authentication, though it requires user interaction. Successful exploitation can enable phishing, cache poisoning, or password-reset link manipulation against legitimate users of the platform.

Critical Impact

Attackers can manipulate the HTTP Host header to redirect users to attacker-controlled domains, poison web caches, or facilitate phishing campaigns that abuse the trust of the legitimate HCL Digital Experience deployment.

Affected Products

  • HCL Digital Experience 9.5 (including CF17 through CF234)
  • HCL Digital Experience Compose 9.5 (including CF224 through CF234)
  • Deployments using default Host header handling without virtual host whitelisting

Discovery Timeline

  • 2026-06-05 - CVE-2026-21826 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-21826

Vulnerability Analysis

The vulnerability stems from the application trusting the value of the HTTP Host header supplied by the client. Web applications frequently use the Host header to construct absolute URLs for password reset emails, redirects, and cache keys. When this header is not validated against an allowlist of approved hostnames, an attacker can substitute an attacker-controlled domain.

The issue affects HCL Digital Experience and HCL Digital Experience Compose portal components that generate URLs based on the inbound request. Because the scope is marked as changed in the CVSS vector, the impact crosses a trust boundary from the vulnerable component to the user's browser session.

Exploitation requires user interaction, typically by tricking a user into clicking a crafted link or submitting a request that triggers an action such as a password reset. The EPSS score for this issue is 0.03%, reflecting low observed exploitation interest at the time of publication.

Root Cause

The root cause is improper validation of the Host request header. The application uses the header value to generate links, perform redirects, or populate response content without confirming the header matches a configured set of trusted virtual hosts. This is a classic [CWE-601] open redirect pattern triggered through header manipulation.

Attack Vector

An unauthenticated attacker sends an HTTP request to the HCL Digital Experience server with a forged Host header pointing to an attacker-controlled domain. If the application reflects that header in a password-reset link, an email link, or a redirect, the victim who interacts with the resulting content is sent to the malicious domain. Common abuse scenarios include phishing for credentials, web cache poisoning, and bypassing same-origin checks on relative redirects.

No verified public proof-of-concept code is available for this issue. Refer to the HCL Software Knowledge Base Article for vendor-specific exploitation context.

Detection Methods for CVE-2026-21826

Indicators of Compromise

  • HTTP requests to HCL Digital Experience endpoints where the Host header value does not match any configured virtual host or load balancer FQDN
  • Outbound password-reset or notification emails containing links pointing to unexpected external domains
  • Web server access logs showing repeated requests with anomalous Host header values from a single source IP
  • User reports of phishing emails that appear to originate from the legitimate portal but link to look-alike domains

Detection Strategies

  • Parse reverse proxy and application server access logs for Host header values outside the approved hostname allowlist
  • Correlate inbound HTTP requests with outbound email link domains to detect injection into generated URLs
  • Alert on HTTP 30x redirects from HCL Digital Experience responses whose Location header points to non-corporate domains
  • Inspect cached responses for content keyed to unexpected hostnames

Monitoring Recommendations

  • Forward web server, WAF, and application logs to a centralized analytics platform for header anomaly review
  • Establish a baseline of legitimate Host header values per deployment and alert on deviations
  • Monitor email gateway telemetry for outbound messages containing links to newly registered or unverified domains
  • Track changes to virtual host configuration files and load balancer routing rules for unauthorized modifications

How to Mitigate CVE-2026-21826

Immediate Actions Required

  • Apply the vendor fix documented in the HCL Software Knowledge Base Article
  • Configure the web server and application to validate the Host header against an explicit allowlist of approved FQDNs
  • Review outbound email templates and reset workflows to confirm URLs use a server-side configured hostname rather than the request Host header
  • Audit existing logs for evidence of Host header tampering during the exposure window

Patch Information

HCL has published remediation guidance in knowledge base article KB0130849. Customers running HCL Digital Experience 9.5 or HCL Digital Experience Compose 9.5 on any cumulative fix from CF17 through CF234 should consult the advisory for the specific cumulative fix or interim fix that resolves this issue. Refer to the HCL Software Knowledge Base Article for the authoritative patch matrix.

Workarounds

  • Enforce a strict Host header allowlist at the reverse proxy or load balancer in front of HCL Digital Experience
  • Hardcode the canonical hostname used to generate password-reset links and absolute URLs in application configuration
  • Deploy a Web Application Firewall rule that drops requests whose Host header does not match approved values
  • Disable absolute URL generation derived from request headers where the application supports relative URLs
bash
# Example nginx configuration enforcing Host header allowlist
server {
    listen 443 ssl;
    server_name portal.example.com;

    if ($host !~* ^(portal\.example\.com|portal-dr\.example\.com)$) {
        return 400;
    }

    location / {
        proxy_set_header Host portal.example.com;
        proxy_pass http://hcl_dx_backend;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne