Skip to main content

HCL DominoIQ CVE-2026-21836

| EUVDEUVD-2026-31117 MEDIUM
Missing Authorization (CWE-862)
2026-05-20 psirt@hcl.com GHSA-2qq9-gw9m-g2rg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 14:32 vuln.today

DescriptionCVE.org

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.

AnalysisAI

HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

HCL DominoIQ is an AI-enhanced layer built atop HCL Domino that incorporates Retrieval-Augmented Generation (RAG), a technique in which a large language model queries an underlying document corpus to generate contextually informed responses. HCL Domino natively enforces document-level access control lists (ACLs) governing which users can read specific documents. The root cause is CWE-862 (Missing Authorization): the DominoIQ RAG pipeline fails to consult or properly enforce these existing ACLs when determining which documents to retrieve and surface in AI responses. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the flaw is exploitable over the network by any authenticated low-privileged user with access to the RAG interface, without additional complexity or user interaction. No CPE strings were included in the available intelligence data.

RemediationAI

Consult HCL's official knowledge base article KB0130932 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130932 for the vendor-released fix. An exact patched version number is not independently confirmed from the available data; organizations should contact HCL PSIRT directly at psirt@hcl.com for version-specific patch guidance. As an interim compensating control while awaiting patch deployment, administrators should restrict access to the DominoIQ RAG feature to the minimum necessary set of trusted users - for example, by adjusting Domino server and database ACLs to limit who can invoke the RAG query interface. This reduces the attacker population but does not remediate the underlying flaw for users who retain access. Organizations with highly sensitive Domino data should consider temporarily disabling the DominoIQ RAG feature entirely until patched, accepting the trade-off of lost AI query capability.

Share

CVE-2026-21836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy