CVE-2026-30855

HIGH

WeKnora <0.3.2 - Privilege Escalation

Title source: llm

Description

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account registration is open to the public, this vulnerability allows any unauthenticated attacker to register an account and subsequently exploit the system. This enables cross-tenant account takeover and destruction, making the impact critical. This issue has been patched in version 0.3.2.

References (1)

[Vendor Advisory] https://github.com/Tencent/WeKnora/security/advisories/GHSA-ccj6-79j6-cq5q

Scores

CVSS v3 8.8

EPSS 0.0008

EPSS Percentile 23.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-284

Status published

Affected Products (2)

Tencent/WeKnora < 0.3.2Go

tencent/weknora < 0.3.2

Timeline

Published Mar 07, 2026

Tracked Since Mar 08, 2026