CVE-2026-11500

MEDIUM 5.0

Weaviate Static API Key client.go validateConfig authorization

CVSS Score

5.0

EPSS Score

0.1%

EPSS Percentile

22th

A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.

CWE	CWE-639 CWE-285
Vendor	n/a
Product	weaviate
Published	Jun 8, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for n/a weaviate

Be the first to know when new medium vulnerabilities affecting n/a weaviate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / Weaviate

1.37.0 1.37.1 1.37.2 1.37.3 1.37.4 1.37.5 1.37.6 1.37.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/369120 vuldb.com: https://vuldb.com/vuln/369120/cti vuldb.com: https://vuldb.com/cve/CVE-2026-11500 vuldb.com: https://vuldb.com/submit/835080 github.com: https://github.com/weaviate/weaviate/issues/11392 github.com: https://github.com/weaviate/weaviate/commit/40f2cc32279f0f8a51016c3c6870a2c0c808e6c0 github.com: https://github.com/weaviate/weaviate/releases/tag/v1.38.0-rc.0 github.com: https://github.com/weaviate/weaviate/

Credits

🔍 Dem000 (VulDB User)