Vulnerability Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account registration is open to the public, this vulnerability allows any unauthenticated attacker to register an account and subsequently exploit the system. This enables cross-tenant account takeover and destruction, making the impact critical. This issue has been patched in version 0.3.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tencent | Weknora | < 0.3.2 |
Related Weaknesses (CWE)
References
- https://github.com/Tencent/WeKnora/security/advisories/GHSA-ccj6-79j6-cq5qExploitVendor Advisory
FAQ
What is CVE-2026-30855?
CVE-2026-30855 is a vulnerability with a CVSS score of 8.8 (HIGH). WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora applicati...
How severe is CVE-2026-30855?
CVE-2026-30855 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30855?
Check the references section above for vendor advisories and patch information. Affected products include: Tencent Weknora.