Skip to main content

HCL DominoIQ CVE-2026-21836

| EUVD-2026-31117 MEDIUM
Missing Authorization (CWE-862)
2026-05-20 psirt@hcl.com GHSA-2qq9-gw9m-g2rg
Authentication Bypass Information Disclosure
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 14:32 vuln.today

DescriptionNVD

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.

AnalysisAI

HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-21836 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy