CVE-2026-11500
Deferred Deferred - Pending Action
Authorization Bypass in Weaviate via Static API Key

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11500
EUVD
EUVD-2026-35034
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weaviate weaviate to 1.37.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11500 is a security vulnerability in Weaviate up to version 1.37.7 affecting the Static API Key Handler component. The issue arises because the system allows duplicate static API keys in its configuration, which leads to authorization bypass.

Specifically, when the same API key is assigned to multiple users, the authentication process incorrectly authenticates the key holder as the first matching user in the configuration list. This means an attacker with a duplicated key can impersonate a higher-privileged user.

The vulnerability is located in the validateConfig function of the file usecases/auth/authentication/apikey/client.go. The attack can be initiated remotely but is considered difficult to exploit due to its complexity.

The issue was fixed by modifying the validation logic to reject duplicate API keys, ensuring only unique keys are accepted.

Impact Analysis

This vulnerability can lead to unauthorized access and privilege escalation in systems using Weaviate with static API keys.

An attacker who obtains or shares a duplicated API key can impersonate another user, potentially one with higher permissions, thereby gaining access to sensitive data or operations they should not have.

Because the authentication process returns the first matching user for a duplicated key, the attacker can bypass proper authorization checks, leading to security risks such as data breaches or unauthorized modifications.

Detection Guidance

This vulnerability involves duplicate static API keys being accepted by Weaviate, which can lead to authorization bypass. Detection involves checking the configuration for duplicate API keys in the AllowedKeys list.

Since the vulnerability is related to the validateConfig function in the authentication module, you can detect it by reviewing your Weaviate configuration files for duplicate static API keys.

There are no specific network or system commands provided in the resources to detect this vulnerability automatically.

A practical approach is to audit your API key configuration manually or via scripts that parse the AllowedKeys configuration to ensure all keys are unique.

Mitigation Strategies

The primary mitigation step is to upgrade Weaviate to version 1.38.0-rc.0 or later, where this vulnerability has been fixed.

The fix ensures that duplicate static API keys are rejected during configuration validation, preventing authorization bypass.

Until you can upgrade, you should manually verify that your configuration does not contain duplicate static API keys to reduce the risk of exploitation.

Compliance Impact

The vulnerability in Weaviate allows for authorization bypass due to duplicate static API keys, which can lead to unauthorized access and privilege escalation.

Such unauthorized access risks compromising sensitive data and user privacy, which can negatively impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.

By allowing an attacker to impersonate higher-privileged users, this vulnerability undermines the integrity of authentication mechanisms, potentially leading to violations of regulatory requirements for data confidentiality and security.

Upgrading to version 1.38.0-rc.0, which includes a fix to enforce unique static API keys, is necessary to mitigate this risk and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart