CVE-2026-30859

MEDIUM

WeKnora <0.2.12 - Privilege Escalation

Title source: llm

Description

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges. This issue has been patched in version 0.2.12.

References (1)

[Vendor Advisory] https://github.com/Tencent/WeKnora/security/advisories/GHSA-2f4c-vrjq-rcgv

Scores

CVSS v3 5.3

EPSS 0.0005

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

tencent/weknora < 0.2.12

Tencent/WeKnora 0 - 0.2.12Go

Published Mar 07, 2026

Tracked Since Mar 08, 2026