Description
A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Tencent WeKnora’s Config API endpoint allows an attacker to alter the kbId argument of getKnowledgeBaseForInitialization, bypassing authorization checks and gaining unauthorized access to knowledge base data. This results in a loss of confidentiality and potential for privileged data exposure. The weakness corresponds to CWE‑285 (Improper Authorization) and CWE‑639 (Privilege Escalation through Role-based Access).

Affected Systems

Tencent WeKnora up to version 0.3.6 is affected. The vulnerable component is the internal/handler/initialization.go file within the Config API Endpoint.

Risk and Exploitability

The vulnerability carries a CVSS base score of 5.3, indicating medium severity. EPSS information is unavailable, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by sending crafted HTTP requests to the exposed endpoint, with no proof-of-concept required. Given the lack of a vendor response, the risk remains medium until a fix is released and deployed.

Generated by OpenCVE AI on May 18, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch for WeKnora once it is released or upgrade to a non‑vulnerable version.
  • Restrict access to the Config API endpoint, ensuring only authenticated and authorized roles can provide the kbId parameter.
  • Implement logging and alerting for anomalous API calls that attempt to supply unknown or malicious kbId values, and regularly review those logs for signs of exploitation.

Generated by OpenCVE AI on May 18, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization
First Time appeared Tencent
Tencent weknora
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*
Vendors & Products Tencent
Tencent weknora
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tencent Weknora
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-18T03:00:14.994Z

Reserved: 2026-05-17T10:23:37.846Z

Link: CVE-2026-8786

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T04:16:34.743

Modified: 2026-05-18T04:16:34.743

Link: CVE-2026-8786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T04:30:17Z

Weaknesses