{"data":{"id":"796ff3cc-d6b3-44fa-bf03-938ce60c4823","title":"GHSA-2f4c-vrjq-rcgv: WeKnora has Broken Access Control - Cross-Tenant Data Exposure","summary":"WeKnora has a broken access control vulnerability (a security flaw where the application fails to properly check permissions) that lets any logged-in user from one tenant (a separate customer or organization) read sensitive data from other tenants' databases, including API keys (credentials for accessing external services), model configurations, and private messages. The problem happens because three database tables (messages, embeddings, models) are allowed to be queried but don't have automatic tenant filtering applied to them.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-2f4c-vrjq-rcgv","publishedAt":"2026-03-06T23:57:20.000Z","cveId":"CVE-2026-30859","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":["github.com/Tencent/WeKnora@<= 2.0.11"],"affectedVendors":[],"affectedVendorsRaw":["WeKnora"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0004,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}