CVE Catalog

CVE-2026-59093

HighCVSS 8.8
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

In Weaviate before version 1.38.0, there is no verification that a principal assigning an RBAC role holds the permissions granted by that role. The assignRoleToUser and assignRoleToGroup handlers only authorize the ability to assign a role, not the permissions themselves, allowing a user with the delegated assign_and_revoke_users or assign_and_revoke_groups permission to assign the built-in admin role or any high-privilege custom role to themselves or others.

Risk Assessment

The organization is at risk of privilege escalation, where a user with limited permissions can gain full administrative control over the Weaviate database, potentially compromising data confidentiality, integrity, and availability.

Recommendation

Immediately upgrade Weaviate to version 1.38.0 or later, which includes a fix that enforces permission verification during role assignment.

Original NVD description (English source)

Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers (POST /authz/users/{id}/assign and /authz/groups/{id}/assign) authorize only that the caller may assign roles to the target user or group, not the permissions contained in the assigned roles, unlike role creation which enforces that a user can only create roles with permissions less than or equal to its own. A user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission can assign the built-in admin role, or any high-privilege custom role, to itself or others, escalating to full administrative control of the database.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS