CVE-2026-59093: Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted
Summary
Weaviate versions before 1.38.0 have a security flaw in RBAC (role-based access control, a system that restricts what users can do based on assigned roles) where the system doesn't check if someone assigning a role to themselves or others actually has permission to grant those permissions. This means a user with limited permissions can assign themselves or others powerful admin roles, gaining full control of the database.
Solution / Mitigation
Update to Weaviate version 1.38.0 or later.
Vulnerability Details
8.8(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
network
low
low
none
July 2, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-59093
First tracked: July 2, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%