Description
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.
Published: 2026-06-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Weaviate’s validateConfig function within the Static API Key Handler allows an attacker to manipulate the StaticApiKey argument, resulting in the bypass of authentication checks. The vulnerability can be triggered remotely and requires the attacker to supply crafted input to the API key validation routine. While the complexity of exploitation is high and the method is considered difficult, the existence of a publicly available exploit increases the risk. The vulnerability impacts confidentiality and integrity by permitting unauthorized access to protected resources that are otherwise gated by static API keys.

Affected Systems

The affected product is Weaviate, a data management platform. Versions up to and including 1.37.7 are vulnerable. A fix is available in release 1.38.0-rc.0 and later, which incorporates the commit that addresses the issue.

Risk and Exploitability

The CVSS score of 2.3 classifies this vulnerability as low severity, and it is not listed in the CISA KEV catalog. EPSS data are not available, so the probability of exploitation remains uncertain. The attack vector is remote, inferred from the description. Although the enforcement of authentication can be bypassed, the high effort required and the absence of a widespread public exploit mitigate immediate risk, but the vulnerability should still be remediated promptly.

Generated by OpenCVE AI on June 8, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weaviate to version 1.38.0-rc.0 or newer, which applies the patch identified by commit 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0.
  • If an upgrade cannot be performed immediately, disable or revoke any static API keys in use and enforce additional authentication mechanisms for critical operations.
  • Restrict network access to the Weaviate API endpoints and monitor for unauthorized attempts to use static API keys.

Generated by OpenCVE AI on June 8, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.
Title Weaviate Static API Key client.go validateConfig authorization
First Time appeared Weaviate
Weaviate weaviate
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:weaviate:weaviate:*:*:*:*:*:*:*:*
Vendors & Products Weaviate
Weaviate weaviate
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Weaviate Weaviate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T13:26:51.375Z

Reserved: 2026-06-07T13:32:26.497Z

Link: CVE-2026-11500

cve-icon Vulnrichment

Updated: 2026-06-08T13:26:45.980Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T10:16:32.320

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T11:30:22Z

Weaknesses