CVE-2025-67819: An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer
Summary
Weaviate OSS (open-source software) versions before 1.33.4 have a vulnerability where the fileName field is not properly validated in the transfer logic. An attacker who can call the GetFile method while a shard (a part of a database) is paused and the FileReplicationService (the system that copies files) is accessible could read any files that the service has permission to access.
Solution / Mitigation
Upgrade to Weaviate OSS version 1.33.4 or later.
Vulnerability Details
4.9(medium)
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-67819
First tracked: February 15, 2026 at 08:48 PM
Classified by LLM (prompt v3) · confidence: 85%