CVE-2026-30855

{"id": "CVE-2026-30855", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-07T17:15:53.053", "references": [{"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-ccj6-79j6-cq5q", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account registration is open to the public, this vulnerability allows any unauthenticated attacker to register an account and subsequently exploit the system. This enables cross-tenant account takeover and destruction, making the impact critical. This issue has been patched in version 0.3.2."}, {"lang": "es", "value": "WeKnora es un framework impulsado por LLM dise\u00f1ado para la comprensi\u00f3n profunda de documentos y la recuperaci\u00f3n sem\u00e1ntica. Antes de la versi\u00f3n 0.3.2, una omisi\u00f3n de autorizaci\u00f3n en los endpoints de gesti\u00f3n de inquilinos de la aplicaci\u00f3n WeKnora permite a cualquier usuario autenticado leer, modificar o eliminar cualquier inquilino por ID. Dado que el registro de cuentas est\u00e1 abierto al p\u00fablico, esta vulnerabilidad permite a cualquier atacante no autenticado registrar una cuenta y posteriormente explotar el sistema. Esto permite la toma de control y destrucci\u00f3n de cuentas entre inquilinos, haciendo que el impacto sea cr\u00edtico. Este problema ha sido parcheado en la versi\u00f3n 0.3.2."}], "lastModified": "2026-03-09T17:33:08.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8CD2EAE-93F9-4249-9ED6-1896DA088B96", "versionEndExcluding": "0.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}