CVE-2026-30857
Authorization Bypass in WeKnora Enables Cross-Tenant Data Exfiltration
Publication date: 2026-03-07
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tencent | weknora | to 0.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30857 is a Broken Access Control vulnerability in the Tencent WeKnora knowledge base system affecting versions prior to 0.3.0. It occurs in the knowledge base copy endpoint, where any authenticated user can clone another tenantβs knowledge base by providing the source knowledge base ID without proper authorization checks.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the system does not verify if the source knowledge base belongs to the requesting user's tenant. The cloning process copies all data and configurations from the victimβs knowledge base into the attackerβs tenant, enabling unauthorized access and duplication of sensitive information."}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure and duplication of sensitive tenant data, including documents, FAQ content, and configuration details.
- An attacker with low privileges but authenticated access can exfiltrate bulk data from other tenants.
- Confidentiality of tenant data is severely compromised, though integrity and availability are not affected.
- It can result in data breaches and loss of trust between tenants sharing the platform.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized POST requests to the /api/v1/knowledge-bases/copy endpoint that include source knowledge base IDs (source_id) not belonging to the authenticated user's tenant."}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking logs or network traffic for POST requests where an authenticated user attempts to clone knowledge bases from other tenants by supplying source_id values that do not match their tenant.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity might include searching server logs or API gateway logs for suspicious POST requests. For example, using grep on server logs:'}, {'type': 'list_item', 'content': "grep 'POST /api/v1/knowledge-bases/copy' /path/to/access.log | grep 'source_id='"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual cloning activity or spikes in knowledge base duplication requests by authenticated users can help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Tencent WeKnora system to version 0.3.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the /api/v1/knowledge-bases/copy endpoint to only trusted users or disable it if possible.
Implement additional monitoring and alerting for suspicious cloning requests that may indicate exploitation attempts.