CVE-2026-30855: WeKnora Vulnerable to Broken Access Control in Tenant Management

March 6, 2026 (updated March 9, 2026)

An authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account registration is open to the public, this vulnerability allows any unauthenticated attacker to register an account and subsequently exploit the system. This enables cross-tenant account takeover and destruction, making the impact critical.

References

github.com/Tencent/WeKnora
github.com/Tencent/WeKnora/security/advisories/GHSA-ccj6-79j6-cq5q
github.com/advisories/GHSA-ccj6-79j6-cq5q
nvd.nist.gov/vuln/detail/CVE-2026-30855

Code Behaviors & Features

Detect and mitigate CVE-2026-30855 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →