MEDIUM 5.0

CVE-2026-11500: Weaviate Authorization Bypass in Static API Key Handler

Weaviate versions up to 1.37.7 contain an authorization bypass vulnerability in the static API key authentication handler. An authenticated attacker can manipulate the StaticApiKey parameter to bypass access controls and gain unauthorized access to protected resources. The vulnerability requires a valid user account and significant technical knowledge to exploit, but public exploit code exists. Upgrading to version 1.38.0-rc.0 resolves the issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-285, CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11500 affects the validateConfig function in usecases/auth/authentication/apikey/client.go within Weaviate's Static API Key Handler component. The vulnerability stems from improper validation of the StaticApiKey argument, allowing authenticated users to manipulate this parameter and circumvent authorization checks. The attack vector is network-based and requires prior authentication (PR:L), making this a post-authentication authorization flaw rather than an unauthenticated bypass. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects moderate severity with high attack complexity. Both CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key) apply, indicating design-level issues in the authentication enforcement mechanism.

Business impact

An authenticated attacker exploiting this vulnerability could gain unauthorized access to Weaviate resources they should not have permission to access, potentially leading to unauthorized data disclosure, modification, or deletion. The impact is limited by the requirement for a valid account and high attack complexity, but organizations relying on Weaviate for sensitive workloads should treat this as a credentialed insider risk. The existence of public exploit code increases the likelihood of opportunistic attacks from users with legitimate but limited access seeking privilege escalation or lateral movement within the Weaviate environment.

Affected systems

Weaviate versions up to and including 1.37.7 are vulnerable. The vulnerability is resolved in version 1.38.0-rc.0 and later stable releases. Organizations should verify their current Weaviate deployment version and cross-reference against their inventory management systems to identify affected instances.

Exploitability

While the CVSS score reflects high attack complexity (AC:H), the existence of publicly available exploit code lowers the barrier to weaponization. Exploitation requires an authenticated user account, limiting the threat surface to insiders, compromised credentials, or users with legitimate but restricted access. The high complexity factor suggests the exploit may be version-specific or require specific environmental conditions to succeed reliably, but motivated adversaries with working exploit code and valid credentials are a credible threat.

Remediation

Upgrade Weaviate to version 1.38.0-rc.0 or later. Organizations on stable release tracks should verify the availability of a stable 1.38.x release and test thoroughly before deploying to production. The patch is identified by commit hash 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0, which can be used to verify proper patching in version control. No workarounds are documented; patching is the primary remediation path.

Patch guidance

Deploy version 1.38.0-rc.0 or later after completing pre-production validation. If you are running stable releases, monitor Weaviate release channels for the next stable 1.38.x version and plan an upgrade within your standard patch cycle. Test the upgrade in a non-production environment first, particularly validating API key authentication behavior and any custom authentication integrations. The high attack complexity suggests testing with typical attack scenarios (e.g., attempting API access with manipulated static keys) during validation.

Detection guidance

Monitor authentication logs for unusual API key usage patterns, such as repeated authorization failures followed by successful access with different privilege levels than the calling account normally possesses. Track failed and successful authentication attempts to the Static API Key Handler component. Look for suspicious parameter manipulation in request logs, particularly cases where StaticApiKey arguments differ unexpectedly from baseline patterns. Implement alerting for authentication bypass attempts if your security monitoring infrastructure can detect authorization failures that are subsequently overridden.

Why prioritize this

This vulnerability merits timely patching despite its MEDIUM CVSS score due to the existence of public exploit code combined with the post-authentication nature of the attack. Organizations should prioritize patching if they have public-facing Weaviate instances or instances accessible to multiple user accounts. The high attack complexity somewhat reduces urgency for isolated, single-user deployments, but the authorization bypass nature and proven exploitability warrant treating this as a high-priority patch candidate in most enterprise environments.

Risk score, explained

The CVSS 3.1 score of 5.0 reflects the combination of network accessibility, high attack complexity, and the requirement for legitimate credentials. The impact on confidentiality, integrity, and availability is limited (L/L/L), and the scope remains unchanged (S:U). The score appropriately captures that this is a credentialed attack with moderate severity, not a critical remote code execution or unauthenticated bypass. However, organizations using Weaviate for multi-tenant scenarios or with sensitive data should weight the exploitation likelihood (public exploit code exists) more heavily than the raw CVSS number suggests.

Frequently asked questions

Can this vulnerability be exploited without a valid user account?

No. The CVSS vector shows PR:L (privileges required: low), meaning an authenticated user account is required to initiate the attack. This limits the threat surface to authorized users, compromised credentials, or accounts gained through other means.

Does the vulnerability affect all Weaviate deployments equally?

The impact depends on your authentication model and access controls. Deployments relying heavily on API key-based access with multiple user accounts or leveraging static API keys for different service tiers are at higher risk than single-account or internal-only deployments.

What is the difference between 1.38.0-rc.0 and stable releases?

Version 1.38.0-rc.0 is a release candidate. Organizations should verify that a stable 1.38.x release is available or use the release candidate only if your environment supports it. Check Weaviate's official release schedule to confirm when stable 1.38.x versions will be available.

How can we test that the patch is effective?

After upgrading, test API key authentication with manipulated StaticApiKey parameters to verify they no longer bypass authorization checks. Confirm that only legitimately authorized API keys grant access to protected resources and that attempts to elevate privileges via key manipulation fail as expected.

This analysis is based on publicly disclosed vulnerability information current as of June 2026. Organizations should verify patch availability and compatibility against their specific Weaviate deployment before applying updates. The assessment assumes standard Weaviate configurations; custom implementations or security controls may affect actual risk. No exploit code is provided or encouraged; this analysis is for defensive purposes only. Always consult Weaviate's official security advisories and release notes for authoritative remediation guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).