EUVD-2026-35034
GHSA-jqpm-wf57-qx5c
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.
AnalysisAI
Authorization bypass in Weaviate's Static API Key Handler (versions 1.37.0-1.37.7) stems from the validateConfig function failing to reject duplicate API keys mapped to distinct users, allowing key-to-user resolution to resolve ambiguously. An authenticated low-privilege attacker holding a duplicated key can authenticate to Weaviate and be resolved as an unintended user identity, bypassing user-level authorization controls. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following conditions to be true simultaneously: (1) The Weaviate instance must have the Static API Key authentication feature explicitly enabled in configuration - this is not the default state for all deployments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 score of 1.3 is very low, and the vector accurately reflects the real-world risk profile: AV:N (network-reachable) but AC:H (high complexity), PR:L (low privilege - attacker must already hold a valid key), and limited confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L) scoped to the vulnerable system only (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An administrator has deployed Weaviate with Static API Key authentication and inadvertently (or through a tooling error) configured the same key value for two users - for example, 'jane' and 'jessica' both assigned 'secret-key'. An attacker holding that key authenticates to Weaviate, and due to the unvalidated duplicate, the key resolves to the alternate user identity rather than the attacker's own. … |
| Remediation | Upgrade Weaviate to version 1.38.0-rc.0 or later, which incorporates the fix at commit 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0 (https://github.com/weaviate/weaviate/commit/40f2cc32279f0f8a51016c3c6870a2c0c808e6c0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today