CVE-2026-30855: Broken Object Level Authorization in Tencent WeKnora
Vulnerability ID: CVE-2026-30855
CVSS Score: 8.8
Published: 2026-03-06
Tencent WeKnora versions prior to 0.3.2 contain a critical Broken Object Level Authorization (BOLA) vulnerability. The API fails to validate user session context against requested tenant identifiers, allowing authenticated attackers to view, modify, or delete any tenant workspace and extract sensitive LLM API keys.
TL;DR
A high-severity BOLA flaw in WeKnora < 0.3.2 allows any registered user to bypass authorization, exposing all tenant data and enabling destructive operations. Patching to 0.3.2 resolves the issue by enforcing context-aware repository scoping.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-284, CWE-639
- Attack Vector: Network
- CVSS Score: 8.8
- Impact: High (Confidentiality, Integrity, Availability)
- Exploit Status: Proof of Concept Available
- Authentication Required: Low (Standard User)
Affected Systems
- Tencent WeKnora
-
WeKnora: < 0.3.2 (Fixed in:
0.3.2)
Mitigation Strategies
- Upgrade WeKnora to version 0.3.2 or later.
- Disable public account registration to remove the initial access vector.
- Implement network-level restrictions on tenant management API endpoints.
Remediation Steps:
- Verify the current running version of WeKnora.
- Apply the 0.3.2 update following official deployment documentation.
- Rotate all LLM API keys configured within the platform.
- Review HTTP access logs for unauthorized requests targeting /api/v1/tenants.
References
- GitHub Security Advisory GHSA-ccj6-79j6-cq5q
- Miggo Vulnerability Database - CVE-2026-30855
- CVE.org Record for CVE-2026-30855
- Tencent WeKnora Repository
Read the full report for CVE-2026-30855 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)