AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-ccj6-79j6-cq5q: WeKnora Vulnerable to Broken Access Control in Tenant Management

criticalvulnerability

security

Source: GitHub Advisory DatabaseMarch 6, 2026CVE-2026-30855

Summary

WeKnora has a broken access control vulnerability (BOLA, or broken object-level authorization, where an attacker can access resources they shouldn't by manipulating object IDs) in its tenant management system that allows any authenticated user to read, modify, or delete any tenant without permission checks. Since anyone can register an account, attackers can exploit this to take over or destroy other organizations' accounts and access their sensitive data like API keys.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Affected Vendors

Affected Packages

github.com/Tencent/WeKnora@< 0.3.1 (fixed: 0.3.1)

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: March 6, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 75%