CVE-2026-30855

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30855

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30855.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30855

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-07T16:31:10.564Z

Modified

2026-03-26T09:14:23.947358Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

WeKnora: Broken Access Control in Tenant Management

Details

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account registration is open to the public, this vulnerability allows any unauthenticated attacker to register an account and subsequently exploit the system. This enables cross-tenant account takeover and destruction, making the impact critical. This issue has been patched in version 0.3.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30855.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Git / github.com/tencent/weknora

Affected ranges

Type: GIT
Repo: https://github.com/tencent/weknora
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a0952edc079a1dca00593029186608cc8b3a3de0

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.5

v0.1.6

v0.2.0

v0.2.1

v0.2.10

v0.2.11

v0.2.12

v0.2.13

v0.2.14

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.3.0

v0.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30855.json"