CVE-2026-30859: WeKnora has Broken Access Control - Cross-Tenant Data Exposure

March 6, 2026 (updated March 9, 2026)

A broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges.

References

github.com/Tencent/WeKnora
github.com/Tencent/WeKnora/security/advisories/GHSA-2f4c-vrjq-rcgv
github.com/advisories/GHSA-2f4c-vrjq-rcgv
nvd.nist.gov/vuln/detail/CVE-2026-30859

Code Behaviors & Features

Detect and mitigate CVE-2026-30859 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →