CVE-2026-8786
Analyzed Analyzed - Analysis Complete
Authorization Bypass in Tencent WeKnora via Config API

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: VulDB

Description
A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-05-20
AI Q&A
2026-05-18
EPSS Evaluated
2026-05-19
NVD
CVE-2026-8786
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tencent weknora to 0.3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-8786 is an Insecure Direct Object Reference (IDOR) vulnerability found in Tencent WeKnora up to version 0.3.6. It exists in the function getKnowledgeBaseForInitialization within the file internal/handler/initialization.go of the Config API Endpoint component.

The vulnerability allows an authenticated user to manipulate the kbId argument to bypass authorization checks. This means a user can access and modify the configuration of any other tenant's Knowledge Base (KB) without proper permission.

Specifically, the function retrieves a KB by its globally unique kbId without verifying if it belongs to the requester's tenant, enabling unauthorized cross-tenant access. Attackers can exploit this to read sensitive information and disrupt the victim's KB operations by changing configurations such as chunk sizes or LLM bindings.

The vulnerability can be exploited remotely and has been publicly disclosed. It has been patched in versions after 0.3.6.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized cross-tenant access to configuration and data within the Tencent WeKnora Knowledge Base, leading to potential information disclosure and unauthorized modification of tenant data.

Such unauthorized access and data manipulation can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to ensure confidentiality, integrity, and tenant data isolation.

Therefore, exploitation of this vulnerability could compromise compliance with these common standards and regulations by exposing or altering protected data without proper authorization.


How can this vulnerability impact me? :

This vulnerability can have significant impacts including unauthorized access to sensitive data and disruption of service.

  • An attacker can read and modify the configuration of other tenants' Knowledge Bases, leading to information disclosure.
  • Attackers can alter configurations such as chunk sizes or LLM bindings, potentially corrupting the performance and logic of the victim's Knowledge Base.
  • Because the exploit can be initiated remotely, it increases the risk of widespread unauthorized access.
  • The vulnerability may lead to logical disruption of services, affecting availability and integrity of the system.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unauthorized access to the getKnowledgeBaseForInitialization function by manipulating the kbId argument. Detection can focus on monitoring API requests to the Config API Endpoint for suspicious or unauthorized kbId values that do not belong to the authenticated user's tenant.

You can detect potential exploitation attempts by inspecting logs for unusual access patterns or requests where the kbId parameter is accessed across different tenants.

Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests to the vulnerable endpoint, and grep or similar tools to filter logs for suspicious kbId usage.

  • Use tcpdump to capture traffic on the server port (e.g., port 80 or 443): tcpdump -i eth0 -A 'tcp port 80 or tcp port 443'
  • Search application logs for requests to getKnowledgeBaseForInitialization with unusual kbId values: grep 'getKnowledgeBaseForInitialization' /path/to/logfile | grep -v 'expected_tenant_kbId'
  • Use curl or similar tools to test access control by attempting to access kbId values belonging to other tenants and observe if unauthorized access is possible.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Tencent WeKnora to a version later than 0.3.6 where this vulnerability has been patched.

Until an upgrade is possible, restrict access to the Config API Endpoint to trusted users only and implement strict tenant validation on the kbId parameter to prevent unauthorized cross-tenant access.

Additionally, monitor logs for suspicious activity related to kbId manipulation and consider applying network-level controls such as firewall rules to limit access to the vulnerable service.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart