CVE-2026-59093
Received Received - Intake

Weaviate RBAC Privilege Escalation via Role Assignment

Vulnerability report for CVE-2026-59093, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers (POST /authz/users/{id}/assign and /authz/groups/{id}/assign) authorize only that the caller may assign roles to the target user or group, not the permissions contained in the assigned roles, unlike role creation which enforces that a user can only create roles with permissions less than or equal to its own. A user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission can assign the built-in admin role, or any high-privilege custom role, to itself or others, escalating to full administrative control of the database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
weaviate weaviate to 1.38.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59093 is a privilege escalation vulnerability in Weaviate versions before 1.38.0 related to its Role-Based Access Control (RBAC) system.

The vulnerability occurs because the system does not verify that a user assigning a role actually holds the permissions granted by that role. While the system checks if the caller is authorized to assign roles to users or groups, it fails to validate the permissions contained within the assigned roles.

This means a user with limited permissions, such as only having the ability to assign or revoke users or groups, can assign themselves or others high-privilege roles like the built-in admin role or any custom role with elevated permissions, effectively escalating their privileges to full administrative control over the database.

Impact Analysis

This vulnerability allows an attacker with limited permissions to escalate their privileges to full administrative control of the Weaviate database.

With administrative control, the attacker can access, modify, or delete sensitive data, change configurations, and potentially compromise the entire system.

Such unauthorized access and control can lead to data breaches, loss of data integrity, and disruption of services.

Detection Guidance

This vulnerability involves improper permission checks in Weaviate's RBAC system, specifically in the role assignment handlers. Detection would involve monitoring or auditing role assignment activities, especially POST requests to /authz/users/{id}/assign and /authz/groups/{id}/assign endpoints.

You can detect potential exploitation by checking logs for role assignments where a user with limited permissions assigns themselves or others high-privilege roles such as the built-in admin role.

Suggested commands or methods include:

  • Review Weaviate API access logs for POST requests to /authz/users/{id}/assign and /authz/groups/{id}/assign.
  • Filter logs for role assignments where the assigned role is 'admin' or other high-privilege custom roles.
  • Check if the caller's permissions include only assign_and_revoke_users or assign_and_revoke_groups but they assigned themselves or others higher privilege roles.
  • Use audit tools or scripts to correlate user permissions with assigned roles to detect mismatches indicating privilege escalation.
Mitigation Strategies

The primary mitigation step is to upgrade Weaviate to version 1.38.0 or later, where this vulnerability has been fixed by enforcing stricter permission checks during role assignments.

The fix ensures that users cannot assign roles with permissions they themselves do not possess, preventing privilege escalation.

Until the upgrade can be applied, consider restricting access to the role assignment endpoints (/authz/users/{id}/assign and /authz/groups/{id}/assign) to trusted administrators only.

Additionally, audit current role assignments and revoke any unauthorized high-privilege roles that may have been assigned improperly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart