CVE-2026-30857

Name of the Vulnerable Software and Affected Versions WeKnora versions prior to 0.3.0

Description WeKnora is a framework for deep document understanding and semantic retrieval. A cross-tenant authorization bypass exists in the knowledge base copy endpoint. An authenticated user can clone another tenant’s knowledge base into their own tenant by knowing or guessing the source knowledge base ID, leading to bulk data exfiltration. The issue is due to insufficient access control checks when handling the source id parameter in the POST /api/v1/knowledge-bases/copy endpoint. Specifically, the GetKnowledgeBaseByID function in the repository layer does not enforce tenant isolation, allowing access to knowledge bases across tenants. The vulnerable code copies knowledge base configuration and content from the source knowledge base to a new knowledge base under the attacker’s tenant. The source id parameter, supplied by the attacker, is used without proper validation.

Recommendations Versions prior to 0.3.0 should be updated to version 0.3.0 or later to address this issue.