PT-2026-23798 · Weknora · Weknora

Aleister1102

Published

2026-03-06

Updated

2026-03-25

CVE-2026-30855

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WeKnora versions prior to 0.3.2

Description WeKnora is a framework for deep document understanding and semantic retrieval. A flaw exists in the tenant management endpoints that allows authenticated users to read, modify, or delete any tenant by ID. Because account registration is open to the public, an unauthenticated attacker can register an account and exploit this issue. This can lead to cross-tenant account takeover and destruction. The affected API endpoints are:

/api/v1/tenants
/api/v1/tenants/{id} The vulnerability occurs because the tenant management handlers do not validate ownership or cross-tenant privileges before performing actions. The handlers directly use the tenant ID from the path without authorization checks. The id variable in the API endpoint /api/v1/tenants/{id} is particularly vulnerable.

Recommendations Versions prior to 0.3.2 should be updated to version 0.3.2 or later.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-30855

GHSA-CCJ6-79J6-CQ5Q

GO-2026-4642

SUSE-SU-2026:1042-1

Affected Products

Weknora

PT-2026-23798 · Weknora · Weknora

CVE-2026-30855

Weakness Enumeration

Related Identifiers

Affected Products

References · 139