PatchSiren cyber security CVE debrief
CVE-2026-21836 HCLSoftware CVE debrief
CVE-2026-21836 describes a broken access control issue in the HCL DominoIQ RAG feature. Under certain circumstances, document-level access restrictions can be ignored when the AI query engine decides what data to return, which could allow an authenticated attacker to see sensitive information. The issue was published on 2026-05-20 and is rated CVSS 6.5 (Medium) with confidentiality impact only. The available source material ties the report to HCL’s PSIRT reference and NVD’s record, but the vendor attribution in the supplied corpus is still marked low-confidence and needs review.
- Vendor
- HCLSoftware
- Product
- DominoIQ
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Administrators and security teams running HCL DominoIQ, especially any deployment using the RAG feature or relying on document-level access controls to protect sensitive content. IAM and application security teams should also review whether authenticated users can query content they should not be able to access.
Technical summary
The reported flaw is a broken access control condition in an AI retrieval workflow. The supplied NVD metadata says the vulnerability can cause document-level access restrictions to be ignored when returning AI query results. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network reachability, low attack complexity, low privileges required, no user interaction, and high confidentiality impact. NVD maps the weakness to CWE-862 (Missing Authorization).
Defensive priority
Medium. This is an authenticated-access data exposure issue with high confidentiality impact, so it should be prioritized for environments handling regulated, confidential, or internal-only documents, even though the overall CVSS severity is Medium.
Recommended defensive actions
- Review HCL’s PSIRT guidance and apply the vendor-recommended fix or workaround for KB0130932 as soon as it is available to your environment.
- Restrict access to DominoIQ RAG functionality to only the minimum set of authenticated users who need it.
- Audit AI query paths and authorization checks to confirm document-level permissions are enforced at retrieval time, not only at indexing or storage time.
- Test with representative restricted documents to verify that denied content cannot be returned through AI queries.
- Review logs for unusual query patterns from authenticated accounts that could indicate attempts to enumerate restricted content.
- Until remediated, consider disabling or limiting the RAG feature for collections containing sensitive data.
Evidence notes
Evidence is limited to the supplied NVD record and the referenced HCL PSIRT support article. The NVD metadata states the vulnerability affects HCL DominoIQ RAG, may ignore document-level access restrictions under certain circumstances, and can expose sensitive data to an authenticated attacker. No exploit details or additional product/version scope were provided in the source corpus.
Official resources
-
CVE-2026-21836 CVE record
CVE.org
-
CVE-2026-21836 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed on 2026-05-20 in the supplied CVE/NVD record. The corpus does not include additional timeline details beyond publication and same-day modification.