CVE-2026-30855
📋 TL;DR
WeKnora versions before 0.3.2 have an authorization bypass vulnerability in tenant management endpoints. Any authenticated user can read, modify, or delete any tenant by ID, and since account registration is open to the public, unauthenticated attackers can register accounts and exploit this. This enables cross-tenant account takeover and destruction, affecting all WeKnora deployments with vulnerable versions.
💻 Affected Systems
- WeKnora
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all tenant data, including deletion of all tenants and their associated documents, leading to total service disruption and data loss.
Likely Case
Attackers register accounts and exploit the vulnerability to access, modify, or delete tenant data across the system, resulting in data breaches and potential service outages.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized access attempts that are detected and blocked, but the vulnerability still poses a high risk if exploited.
🎯 Exploit Status
Exploitation requires account registration (which is open) followed by simple API calls to tenant endpoints, making it straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3.2
Vendor Advisory: https://github.com/Tencent/WeKnora/security/advisories/GHSA-ccj6-79j6-cq5q
Restart Required: Yes
Instructions:
1. Backup your WeKnora data and configuration. 2. Update WeKnora to version 0.3.2 or later using your package manager or by downloading from the official repository. 3. Restart the WeKnora service to apply the patch.
🔧 Temporary Workarounds
Disable Public Account Registration
allTemporarily disable public account registration to prevent unauthenticated attackers from creating accounts, reducing the attack surface.
Modify WeKnora configuration to set 'allow_public_registration' to false and restart the service.
Restrict Access to Tenant Management Endpoints
allUse network firewalls or web application firewalls to block or restrict access to tenant management API endpoints.
Configure firewall rules to deny external access to paths like '/api/tenant/*' except from trusted IPs.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WeKnora instances from untrusted networks.
- Enable detailed logging and monitoring for tenant management activities to detect and respond to exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check the WeKnora version; if it is below 0.3.2, the system is vulnerable. Test by attempting to access tenant management endpoints with a low-privilege account.Check Version:
weknora --version or check the version in the application configuration file.Verify Fix Applied:
After updating to 0.3.2 or later, verify that low-privilege users cannot access or modify tenant data they do not own.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to tenant management endpoints, especially from newly registered accounts.
- Failed authorization attempts or successful modifications to tenant data by unauthorized users.
Network Indicators:
- HTTP requests to paths like '/api/tenant/*' from untrusted sources or with unexpected parameters.
SIEM Query:
source="weknora_logs" AND (uri_path="/api/tenant/*" AND user_role!="admin")