📄 Description (English)
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component.
🤖 AI Executive Summary
Weaviate versions up to 1.37.7 contain an authorization bypass vulnerability in the Static API Key Handler that allows remote attackers to manipulate authentication credentials through the StaticApiKey parameter. While exploitation requires high complexity and is currently difficult to execute, the publicly available exploit code and widespread use of Weaviate in enterprise AI/ML deployments pose a moderate risk. Organizations should prioritize upgrading to version 1.38.0-rc.0 or later to eliminate this authentication weakness.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 8, 2026 14:00
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging Weaviate for AI/ML applications—particularly in banking (SAMA-regulated institutions), government digital transformation initiatives (NCA oversight), healthcare systems, and energy sector analytics—face authentication bypass risks. Financial institutions using Weaviate for fraud detection or customer analytics could experience unauthorized data access. Government agencies implementing AI-driven services may face compliance violations under NCA ECC 2024. The vulnerability's impact is elevated in multi-tenant deployments where API key isolation is critical for data segregation.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Insurance
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Weaviate instances in your environment running versions ≤1.37.7 using asset discovery tools
2. Assess exposure by reviewing API key usage patterns and access logs for suspicious authentication attempts
3. Implement network segmentation to restrict Weaviate API access to trusted internal networks only
Patching Guidance:
1. Upgrade to Weaviate version 1.38.0-rc.0 or later (patch commit: 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0)
2. Test upgrades in non-production environments first to ensure compatibility with dependent applications
3. Schedule maintenance windows for production upgrades with stakeholder notification
Compensating Controls (if immediate patching not possible):
1. Implement API gateway authentication layer with additional token validation
2. Enable comprehensive API request logging and monitoring for StaticApiKey parameter manipulation attempts
3. Restrict API key permissions to minimum required scopes using role-based access controls
4. Implement rate limiting and anomaly detection on authentication endpoints
Detection Rules:
1. Monitor for repeated failed authentication attempts with modified StaticApiKey values
2. Alert on API requests containing unusual StaticApiKey patterns or lengths
3. Track successful authentications from unexpected source IPs or user agents
4. Log all API key configuration changes and review for unauthorized modifications
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات Weaviate في بيئتك التي تعمل بإصدارات ≤1.37.7 باستخدام أدوات اكتشاف الأصول
2. تقييم التعرض من خلال مراجعة أنماط استخدام مفتاح API وسجلات الوصول للمحاولات المريبة
3. تنفيذ تقسيم الشبكة لتقييد وصول API الخاص بـ Weaviate إلى الشبكات الداخلية الموثوقة فقط
إرشادات التصحيح:
1. الترقية إلى إصدار Weaviate 1.38.0-rc.0 أو أحدث (التصحيح: 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0)
2. اختبار الترقيات في بيئات غير الإنتاج أولاً للتأكد من التوافق مع التطبيقات التابعة
3. جدولة نوافذ الصيانة لترقيات الإنتاج مع إخطار أصحاب المصلحة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ طبقة مصادقة بوابة API مع التحقق الإضافي من الرموز
2. تفعيل تسجيل المراقبة الشاملة لطلبات API والكشف عن محاولات معالجة معامل StaticApiKey
3. تقييد أذونات مفتاح API إلى الأنطقة المطلوبة بحد أدنى باستخدام التحكم في الوصول القائم على الأدوار
4. تنفيذ تحديد معدل الطلبات والكشف عن الشذوذ على نقاط نهاية المصادقة
قواعد الكشف:
1. مراقبة محاولات المصادقة الفاشلة المتكررة مع قيم StaticApiKey المعدلة
2. التنبيه على طلبات API التي تحتوي على أنماط StaticApiKey غير عادية أو أطوال غير متوقعة
3. تتبع المصادقات الناجحة من عناوين IP أو وكلاء مستخدمين غير متوقعين
4. تسجيل جميع تغييرات تكوين مفتاح API ومراجعة التعديلات غير المصرح بها
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.9.2.1 - User registration and access rights management
A.9.2.5 - Access rights review
A.10.1.1 - Information security event logging
A.10.3.1 - Handling of security incidents
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control Policy
PR.AC-4 - Access Management
DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
A.5.15 - Access Control
A.8.2.1 - User Registration and De-registration
A.8.2.3 - Management of Privileged Access Rights
A.12.4.1 - Event Logging
🟣 PCI DSS v4.0.1
Requirement 2.1 - Default Security Parameters
Requirement 7 - Restrict Access to Data
Requirement 8 - Identify and Authenticate Access
Requirement 10 - Track and Monitor Access
🔗 References & Sources 8
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/weaviate/weaviate/
cna@vuldb.com
https://github.com/weaviate/weaviate/commit/40f2cc32279f0f8a51016c3c6870a2c0c808e6c0
cna@vuldb.com
https://github.com/weaviate/weaviate/issues/11392
cna@vuldb.com
https://github.com/weaviate/weaviate/releases/tag/v1.38.0-rc.0
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11500
cna@vuldb.com
https://vuldb.com/submit/835080
cna@vuldb.com
https://vuldb.com/vuln/369120
cna@vuldb.com
https://vuldb.com/vuln/369120/cti
cna@vuldb.com