CVE-2026-30857
📋 TL;DR
This vulnerability allows any authenticated user in WeKnora to clone another tenant's knowledge base into their own tenant by guessing or knowing the source knowledge base ID. This enables cross-tenant data exfiltration of documents and FAQ content. All WeKnora deployments prior to version 0.3.0 are affected.
💻 Affected Systems
- WeKnora
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Massive data breach where an attacker systematically clones all tenant knowledge bases, exfiltrating sensitive documents and intellectual property across the entire platform.
Likely Case
Targeted data theft where an attacker identifies specific high-value tenants and clones their knowledge bases to access proprietary documents and FAQ content.
If Mitigated
Limited impact with proper access controls and monitoring, where unauthorized cloning attempts are detected and blocked before significant data exfiltration occurs.
🎯 Exploit Status
Exploitation requires only authenticated access and knowledge/guessing of target knowledge base IDs; simple HTTP requests to the copy endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3.0
Vendor Advisory: https://github.com/Tencent/WeKnora/security/advisories/GHSA-8rf9-c59g-f82f
Restart Required: Yes
Instructions:
1. Backup your WeKnora configuration and data. 2. Upgrade WeKnora to version 0.3.0 or later. 3. Restart the WeKnora service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the knowledge base copy endpoint using network firewalls or web application firewalls.
Rate Limiting
allImplement rate limiting on the copy endpoint to prevent bulk cloning attempts.
🧯 If You Can't Patch
- Implement strict access controls and monitoring on the knowledge base copy endpoint.
- Segregate tenant data at the network or application layer to prevent cross-tenant access.
🔍 How to Verify
Check if Vulnerable:
Check WeKnora version; if version is below 0.3.0, the system is vulnerable. Test authenticated access to clone another tenant's knowledge base using known ID.Check Version:
Check WeKnora configuration files or API endpoint for version information.Verify Fix Applied:
After upgrading to 0.3.0, attempt to clone another tenant's knowledge base; the request should be rejected with proper authorization error.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /api/knowledge-base/copy endpoint with different source IDs
- Unusual increase in knowledge base creation events
- Access logs showing cross-tenant knowledge base access patterns
Network Indicators:
- Burst of HTTP POST requests to copy endpoint from single source
- Unusual data transfer volumes following copy operations
SIEM Query:
source="weknora" AND (uri_path="/api/knowledge-base/copy" AND status=200) | stats count by src_ip, user