CVE-2025-52659
Published: 19 January 2026
Summary
CVE-2025-52659 is a low-severity Use of Web Browser Cache Containing Sensitive Information (CWE-525) vulnerability in Hcltech Aion. Its CVSS base score is 2.8 (Low).
Operationally, ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2025-52659 is a Cacheable HTTP Response vulnerability, classified under CWE-525, affecting HCL AION version 2. This flaw may result in the unintended storage of sensitive or dynamic content in caches, potentially enabling unauthorized access or information disclosure. The vulnerability received a CVSS v3.1 base score of 2.8 (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L) and was published on 2026-01-19.
Exploitation requires local access, low attack complexity, low privileges, and user interaction. A local attacker with low-level privileges could trick a user into performing an action that triggers a cacheable HTTP response containing sensitive or dynamic content. While the description notes potential for unauthorized access or disclosure, the CVSS metrics indicate no confidentiality or integrity impact, with effects limited to low availability disruption.
Mitigation guidance is available in the HCL Software support knowledge base article at https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3209
Vulnerability details
HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires configuring HTTP response headers (Cache-Control, Expires) so that sensitive or dynamic content is never stored in caches.
Enforces information-flow rules that prohibit caching of responses containing sensitive data, blocking the unintended storage path described in the CVE.
Requires confidentiality and integrity protections for transmitted data, which includes ensuring responses are not inadvertently cached and later disclosed.