CVE-2026-11500

Name of the Vulnerable Software and Affected Versions Weaviate versions prior to 1.38.0-rc.0

Description An issue exists in the Static API Key Handler component within the validateConfig() function of the usecases/auth/authentication/apikey/client.go file. Manipulation of the StaticApiKey argument allows for a remote authorization bypass. The attack complexity is high and exploitability is considered difficult.

Recommendations Upgrade to version 1.38.0-rc.0. As a temporary workaround, restrict access to the validateConfig() function within the Static API Key Handler to minimize the risk of exploitation.