{"data":{"id":"7003fe18-2e97-41c9-8eb9-7f50020bec62","title":"CVE-2026-59093: Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted","summary":"Weaviate versions before 1.38.0 have a security flaw in RBAC (role-based access control, a system that restricts what users can do based on assigned roles) where the system doesn't check if someone assigning a role to themselves or others actually has permission to grant those permissions. This means a user with limited permissions can assign themselves or others powerful admin roles, gaining full control of the database.","solution":"Update to Weaviate version 1.38.0 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-59093","publishedAt":"2026-07-02T20:17:07.410Z","cveId":"CVE-2026-59093","cweIds":["CWE-266"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Weaviate"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-02T20:17:07.410Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}