CVE-2026-11500

Exploit

EPSS 0.28%
Veröffentlicht 08.06.2026 09:00:12
Zuletzt bearbeitet 08.06.2026 14:57:14
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

Weaviate Static API Key client.go validateConfig authorization

A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 11

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellern/a

≫

Produkt Weaviate

Version 1.37.0

Status affected

Version 1.37.1

Status affected

Version 1.37.2

Status affected

Version 1.37.3

Status affected

Version 1.37.4

Status affected

Version 1.37.5

Status affected

Version 1.37.6

Status affected

Version 1.37.7

Status affected

Version 1.38.0-rc.0

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.197

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	5	1.6	3.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	1.3	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	4.6	3.9	6.4	AV:N/AC:H/Au:S/C:P/I:P/A:P

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://vuldb.com/vuln/369120

https://vuldb.com/vuln/369120/cti

https://vuldb.com/cve/CVE-2026-11500

https://vuldb.com/submit/835080

https://github.com/weaviate/weaviate/issues/11392

https://github.com/weaviate/weaviate/commit/40f2cc32279f0f8a51016c3c6870a2c0c808e6c0

https://github.com/weaviate/weaviate/releases/tag/v1.38.0-rc.0

https://github.com/weaviate/weaviate/

https://nvd.nist.gov/vuln/detail/CVE-2026-11500

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-11500

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-11500

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-11500