101 matches found
CVE-2026-59093
Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers POST /authz/users/id/assign and /authz/groups/id/assign authorize only that the caller may assign role...
CVE-2026-59093 Weaviate < 1.38.0 - Privilege Escalation via Unchecked Permissions in RBAC Role Assignment
Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers POST /authz/users/id/assign and /authz/groups/id/assign authorize only that the caller may assign role...
CVE-2026-59093
Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers POST /authz/users/id/assign and /authz/groups/id/assign authorize only that the caller may assign role...
EUVD-2026-41424
Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers POST /authz/users/id/assign and /authz/groups/id/assign authorize only that the caller may assign role...
CVE-2026-59093
Weaviate prior to 1.38.0 fails to verify that a principal granting RBAC roles actually has permissions within those roles. The assignRoleToUser and assignRoleToGroup endpoints (POST /authz/users/{id}/assign, /authz/groups/{id}/assign) only check that the caller may assign roles, not the permissio...
PT-2026-55294
Name of the Vulnerable Software and Affected Versions Weaviate versions prior to 1.38.0 Description An issue exists where the system fails to verify if a principal performing a Role-Based Access Control RBAC role assignment possesses the permissions granted by the role being assigned. While role...
CVE-2026-11500
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
CVE-2026-11500
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
CVE-2026-11500
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
EUVD-2026-35034
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
CVE-2026-11500
The CVE affects Weaviate up to version 1.37.7, specifically the Static API Key Handler’s validateConfig function in usecases/auth/authentication/apikey/client.go. The issue arises from manipulation of the StaticApiKey argument, enabling remote authorization bypass. The vulnerability has a publicl...
CVE-2026-11500 Weaviate Static API Key client.go validateConfig authorization
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
CVE-2026-11500 Weaviate Static API Key client.go validateConfig authorization
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
PT-2026-47262
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is...
Weaviate 授权问题漏洞
Weaviate is an open-source vector database developed by Weaviate. Versions of Weaviate 1.37.7 and earlier had an authorization vulnerability. This vulnerability stemmed from incorrect handling of the parameter “StaticApiKey” in the function “validateConfig” within the Static API Key Handler...
CLEANSTART-2026-BK91157 Security fixes for ghsa-xmrv-pmrh-hhx2 applied in versions: 1.35.17-r0
Security vulnerability affects the weaviate-fips package. This issue is resolved in later releases. See references for vulnerability details...
CLEANSTART-2026-FL19517 Security fixes for ghsa-xmrv-pmrh-hhx2 applied in versions: 1.35.17-r0
Security vulnerability affects the weaviate-fips package. This issue is resolved in later releases. See references for vulnerability details...
CLEANSTART-2026-ON41795 Security fixes for ghsa-xmrv-pmrh-hhx2 applied in versions: 1.35.17-r0
Security vulnerability affects the weaviate-fips package. This issue is resolved in later releases. See references for vulnerability details...
CLEANSTART-2026-QO72222 Security fixes for ghsa-xmrv-pmrh-hhx2 applied in versions: 1.35.17-r0
Security vulnerability affects the weaviate-fips package. This issue is resolved in later releases. See references for vulnerability details...
CLEANSTART-2026-HJ72983 Security fixes for CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-68121, CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, ghsa-6g7g-w4f8-9c9x, ghsa-9h8m-3fm2-qjrq, ghsa-j5w8-q4qc-rx2x, ghsa-p77j-4mvh-x3m3, ghsa-xmrv-pmrh-hhx2 applied in versions: 1.35.17-r0, 1.35.17-r1, 1.35.2-r0, 1.35.2-r1, 1.35.2-r2
Multiple security vulnerabilities affect the weaviate package. These issues are resolved in later releases. See references for individual vulnerability details...