Improper Role Assignment in Weaviate by Seed AI
CVE-2026-59093
8.7HIGH
What is CVE-2026-59093?
Weaviate versions prior to 1.38.0 exhibit a critical flaw in their role-based access control mechanism, allowing users with limited permissions to assign high-privilege roles, including administrative controls, to themselves or other users. The issue arises because the system only verifies if the caller can assign roles, not if they hold the necessary permissions for those roles. This can lead to a severe security risk as unauthorized individuals may gain complete control over the database, undermining the security framework intended to protect sensitive data. Users should upgrade to Weaviate 1.38.0 or later to mitigate this risk.
Affected Version(s)
weaviate 0 < 1.38.0
