CVE-2026-30859

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30859

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30859.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30859

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-07T16:35:30.415Z

Modified

2026-03-26T09:14:27.492979Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

WeKnora: Broken Access Control - Cross-Tenant Data Exposure

Details

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges. This issue has been patched in version 0.2.12.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30859.json"
}

References

Affected packages

Git / github.com/tencent/weknora

Affected ranges

Type: GIT
Repo: https://github.com/tencent/weknora
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7f39d28a339f39e14c459a71fe768b59164e1ef8

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.5

v0.1.6

v0.2.0

v0.2.1

v0.2.10

v0.2.11

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30859.json"