Improper Role Assignment in Weaviate by Seed AI
CVE-2026-59093

8.7HIGH

Key Information:

Vendor

Weaviate

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-59093?

Weaviate versions prior to 1.38.0 exhibit a critical flaw in their role-based access control mechanism, allowing users with limited permissions to assign high-privilege roles, including administrative controls, to themselves or other users. The issue arises because the system only verifies if the caller can assign roles, not if they hold the necessary permissions for those roles. This can lead to a severe security risk as unauthorized individuals may gain complete control over the database, undermining the security framework intended to protect sensitive data. Users should upgrade to Weaviate 1.38.0 or later to mitigate this risk.

Affected Version(s)

weaviate 0 < 1.38.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.