Skip to main content

Tencent WeKnora CVE-2026-8786

| EUVDEUVD-2026-30730 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-18 VulDB GHSA-4cvj-xf75-4wv6
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 18, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
May 18, 2026 - 04:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 18, 2026 - 03:45 vuln.today

DescriptionCVE.org

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in Tencent WeKnora's Config API endpoint allows authenticated attackers to access unauthorized knowledge bases by manipulating the kbId parameter in getKnowledgeBaseForInitialization function. Affects all versions up to 0.3.6. Publicly available exploit code exists via GitHub Gist, enabling low-complexity attacks with network access. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability. EPSS data not available, but public POC increases exploitation likelihood. Vendor unresponsive to disclosure, indicating no official patch timeline.

Technical ContextAI

The vulnerability resides in internal/handler/initialization.go within the Config API endpoint of WeKnora, a Tencent knowledge management platform. The getKnowledgeBaseForInitialization function fails to properly validate authorization when processing kbId arguments, implementing a broken access control pattern classified as CWE-639 (Authorization Bypass Through User-Controlled Key). This weakness allows authenticated users to manipulate object references (knowledge base identifiers) to access resources outside their authorization scope. The CPE string cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:* confirms Tencent as vendor with all versions through 0.3.6 vulnerable. The Golang implementation suggests the flaw stems from insufficient input validation and missing authorization checks before database/resource queries in the initialization workflow.

RemediationAI

No vendor-released patch exists for CVE-2026-8786 as Tencent has not responded to vulnerability disclosure per VulDB submission 812172. Organizations should implement immediate compensating controls: First, restrict network access to the Config API endpoint to trusted IP ranges or internal networks only, reducing attack surface from AV:N to local network scope. Second, implement application-layer authentication proxies or API gateways with additional authorization checks validating kbId parameter access against user permissions before forwarding requests to WeKnora. Third, enable comprehensive API audit logging to detect unauthorized knowledge base access attempts through anomalous kbId patterns. Fourth, consider suspending the initialization endpoint functionality if not operationally critical. Trade-offs include reduced functionality for initialization workflows and increased operational complexity from proxy deployments. Monitor VulDB advisories at vuldb.com/vuln/364410 and Tencent security channels for future patch releases. For critical deployments, evaluate migration to alternative knowledge management platforms with active security maintenance.

Share

CVE-2026-8786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy