CVE-2026-21836
Awaiting Analysis Awaiting Analysis - Queue
Broken Access Control in HCL DominoIQ RAG Feature

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: HCL Software

Description
The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-21836
EUVD
EUVD-2026-31117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hcl dominoiq *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in HCL DominoIQ involves a Broken Access Control issue in the RAG feature. Specifically, under certain conditions, document level access restrictions are ignored when the system determines what data to return from an AI query. This means that an authenticated attacker could bypass these restrictions and view sensitive data that they should not have access to.

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to access sensitive data that is normally protected by document level access controls. Since the access restrictions can be bypassed, confidential or private information could be exposed, potentially leading to data breaches or unauthorized disclosure of sensitive information.

Compliance Impact

The vulnerability in HCL DominoIQ's RAG feature involves Broken Access Control that can allow an authenticated attacker to bypass document level access restrictions and view sensitive data.

Such unauthorized access to sensitive data could potentially lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

However, the provided information does not explicitly detail the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart