CVE-2026-11500
MEDIUMWeaviate Static API Key client.go validateConfig authorization
Title source: cnaDescription
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-369120 | Weaviate Static API Key client.go validateConfig authorization
https://vuldb.com/vuln/369120
Signature, Permissions Required signature
permissions-required
VDB-369120 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/369120/cti
Third Party Advisory third-party-advisory
CVE-2026-11500 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11500
Third Party Advisory third-party-advisory
Submit #835080 | weaviate 20f14bed78eddac098f84aad97204c0d86ad0c34 Authorization Bypass
https://vuldb.com/submit/835080
Product product
https://github.com/weaviate/weaviate/
Exploit exploit
issue-tracking
https://github.com/weaviate/weaviate/issues/11392
Scores
CVSS v3
5.0
EPSS
0.0044
EPSS Percentile
35.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
CWE-639
Status
published
Products (9)
None/Weaviate
1.37.0
None/Weaviate
1.37.1
None/Weaviate
1.37.2
None/Weaviate
1.37.3
None/Weaviate
1.37.4
None/Weaviate
1.37.5
None/Weaviate
1.37.6
None/Weaviate
1.37.7
None/Weaviate
1.38.0-rc.0
Published
Jun 08, 2026
Tracked Since
Jun 08, 2026