Description
The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HCL DominoIQ RAG feature contains a broken access control flaw that causes document‑level restrictions to be ignored when processing AI queries. An attacker who has authenticated credentials can exploit this weakness to retrieve data they should not be permitted to see. The outcome is a loss of confidentiality for sensitive documents and a potential violation of data protection policies. The vulnerability is a classic example of CWE‑862 and can be leveraged without requiring special privileges beyond normal user access to the application.

Affected Systems

Any deployment of HCL Software’s DominoIQ that includes the RAG feature is at risk. No specific product versions are listed in the advisory, so all installations using RAG are potentially affected until a vendor patch is applied or the feature is disabled. Administrators should inventory systems that run DominoIQ and verify whether RAG is active.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS is not available and the flaw is not in CISA’s KEV catalog, suggesting a lower observed exploitation probability. An attacker would need authentication and the ability to invoke AI queries; the weakness is exploitable when the application fails to honor access checks, implying a local or network attack with sufficient credentials. The risk is primarily to data confidentiality, with no immediate denial of service or remote code execution. Prompt remediation is advised to prevent unauthorized disclosure.

Generated by OpenCVE AI on May 20, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade DominoIQ to a version that fixes the RAG access‑control issue as documented by HCL.
  • If a patch is not yet available, disable the RAG feature or isolate it from user traffic to prevent AI queries from bypassing document restrictions.
  • Review user roles and permissions to ensure only authorized personnel can execute AI queries; consider network segmentation or firewall rules to restrict access to the DominoIQ service.

Generated by OpenCVE AI on May 20, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.
Title HCL DominoIQ is affected by broken access control
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-20T13:37:47.679Z

Reserved: 2026-01-05T16:08:25.000Z

Link: CVE-2026-21836

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T14:16:36.373

Modified: 2026-05-20T14:23:44.700

Link: CVE-2026-21836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:30:33Z

Weaknesses