CVE-2026-21836
Broken Access Control in HCL DominoIQ RAG Feature
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcl | dominoiq | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in HCL DominoIQ involves a Broken Access Control issue in the RAG feature. Specifically, under certain conditions, document level access restrictions are ignored when the system determines what data to return from an AI query. This means that an authenticated attacker could bypass these restrictions and view sensitive data that they should not have access to.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker to access sensitive data that is normally protected by document level access controls. Since the access restrictions can be bypassed, confidential or private information could be exposed, potentially leading to data breaches or unauthorized disclosure of sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in HCL DominoIQ's RAG feature involves Broken Access Control that can allow an authenticated attacker to bypass document level access restrictions and view sensitive data.
Such unauthorized access to sensitive data could potentially lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
However, the provided information does not explicitly detail the impact on compliance with these standards.