CVE-2026-21836 PUBLISHED

HCL DominoIQ is affected by broken access control

Assigner: HCL
Reserved: 05.01.2026 Published: 20.05.2026 Updated: 20.05.2026

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	HCLSoftware
Product	DominoIQ
Versions	Default: unaffected Version 14.5.1 is affected

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130932

Problem Types

CWE-862 Missing Authorization CWE