{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-30857", "tracking": { "current_release_date": "2026-03-26T01:19:43.189320Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-30857", "initial_release_date": "2026-03-07T00:12:45.806756Z", "revision_history": [ { "date": "2026-03-07T00:12:45.806756Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-07T00:12:50.919874Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-07T00:39:54.035331Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-07T00:40:04.549031Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-07T17:25:16.525835Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-07T17:25:19.279379Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-07T17:38:52.331191Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-07T17:39:01.688784Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-08T14:48:52.473726Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-08T14:49:05.178634Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-09T13:39:51.270297Z", "number": "11", "summary": "References created (1)." }, { "date": "2026-03-09T18:12:54.076612Z", "number": "12", "summary": "Products connected (1).| Products removed (1).| References created (1)." }, { "date": "2026-03-09T18:27:56.454180Z", "number": "13", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-09T18:27:58.635888Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-09T18:39:21.180414Z", "number": "15", "summary": "Unknown change." }, { "date": "2026-03-19T15:29:13.167960Z", "number": "16", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-19T15:29:16.363393Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:33:49.423901Z", "number": "18", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-25T18:15:34.588938Z", "number": "19", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)." }, { "date": "2026-03-25T21:45:11.258400Z", "number": "20", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (21).| References created (3).| CWES updated (1)." }, { "date": "2026-03-25T21:45:23.764196Z", "number": "21", "summary": "NCSC Score updated." } ], "status": "interim", "version": "21" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.3.0", "product": { "name": "vers:unknown/<0.3.0", "product_id": "CSAFPID-5770072" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<0.3.0", "product": { "name": "vers:unknown/>=0|<0.3.0", "product_id": "CSAFPID-5771904" } } ], "category": "product_name", "name": "WeKnora" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.3.0", "product": { "name": "vers:unknown/<0.3.0", "product_id": "CSAFPID-5772001", "product_identification_helper": { "cpe": "cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.0", "product": { "name": "vers:unknown/v0.1.0", "product_id": "CSAFPID-5364807" } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.1", "product": { "name": "vers:unknown/v0.1.1", "product_id": "CSAFPID-5364808" } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.2", "product": { "name": "vers:unknown/v0.1.2", "product_id": "CSAFPID-5364809" } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.3", "product": { "name": "vers:unknown/v0.1.3", "product_id": "CSAFPID-5364810" } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.5", "product": { "name": "vers:unknown/v0.1.5", "product_id": "CSAFPID-5364811" } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.6", "product": { "name": "vers:unknown/v0.1.6", "product_id": "CSAFPID-5364812" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.0", "product": { "name": "vers:unknown/v0.2.0", "product_id": "CSAFPID-5364813" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.1", "product": { "name": "vers:unknown/v0.2.1", "product_id": "CSAFPID-5364814" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.10", "product": { "name": "vers:unknown/v0.2.10", "product_id": "CSAFPID-5909251" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.11", "product": { "name": "vers:unknown/v0.2.11", "product_id": "CSAFPID-5909252" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.12", "product": { "name": "vers:unknown/v0.2.12", "product_id": "CSAFPID-5909258" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.13", "product": { "name": "vers:unknown/v0.2.13", "product_id": "CSAFPID-5909259" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.14", "product": { "name": "vers:unknown/v0.2.14", "product_id": "CSAFPID-5909260" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.2", "product": { "name": "vers:unknown/v0.2.2", "product_id": "CSAFPID-5364815" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.3", "product": { "name": "vers:unknown/v0.2.3", "product_id": "CSAFPID-5364816" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.4", "product": { "name": "vers:unknown/v0.2.4", "product_id": "CSAFPID-5364817" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.5", "product": { "name": "vers:unknown/v0.2.5", "product_id": "CSAFPID-5909253" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.6", "product": { "name": "vers:unknown/v0.2.6", "product_id": "CSAFPID-5909254" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.7", "product": { "name": "vers:unknown/v0.2.7", "product_id": "CSAFPID-5909255" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.8", "product": { "name": "vers:unknown/v0.2.8", "product_id": "CSAFPID-5909256" } }, { "category": "product_version_range", "name": "vers:unknown/v0.2.9", "product": { "name": "vers:unknown/v0.2.9", "product_id": "CSAFPID-5909257" } } ], "category": "product_name", "name": "weknora" } ], "category": "vendor", "name": "Tencent" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-30857", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "notes": [ { "category": "description", "text": "### Summary\nA cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants, making the impact critical.\n\n### Details\n\nThe `POST /api/v1/knowledge-bases/copy` endpoint enqueues an asynchronous KB clone task using the caller-supplied `source_id` without verifying ownership (see `internal/handler/knowledgebase.go`).\n```go\n// Create KB clone payload\npayload := types.KBClonePayload{\n TenantID: tenantID.(uint64),\n TaskID: taskID,\n SourceID: req.SourceID, // from attacker's input\n TargetID: req.TargetID,\n}\n\npayloadBytes, err := json.Marshal(payload)\nif err != nil {\n logger.Errorf(ctx, \"Failed to marshal KB clone payload: %v\", err)\n c.Error(errors.NewInternalServerError(\"Failed to create task\"))\n return\n}\n\n// Enqueue KB clone task to Asynq\ntask := asynq.NewTask(types.TypeKBClone, payloadBytes,\nasynq.TaskID(taskID), asynq.Queue(\"default\"), asynq.MaxRetry(3)) // enqueue task\ninfo, err := h.asynqClient.Enqueue(task)\nif err != nil {\n logger.Errorf(ctx, \"Failed to enqueue KB clone task: %v\", err)\n c.Error(errors.NewInternalServerError(\"Failed to enqueue task\"))\n return\n}\n```\n\nThen, the asynq task handler (`ProcessKBClone`) invokes the `CopyKnowledgeBase` service method to perform the clone operation (see `internal/application/service/knowledge.go`):\n\n```go\n// Get source and target knowledge bases\nsrcKB, dstKB, err := s.kbService.CopyKnowledgeBase(ctx, payload.SourceID, payload.TargetID)\nif err != nil {\n logger.Errorf(ctx, \"Failed to copy knowledge base: %v\", err)\n handleError(progress, err, \"Failed to copy knowledge base configuration\")\n return err\n}\n```\n\nAfter that, the `CopyKnowledgeBase` method calls the repository method to load the source knowledge base (see `internal/application/service/knowledgebase.go`):\n\n```go\nfunc (s *knowledgeBaseService) CopyKnowledgeBase(ctx context.Context,\n\tsrcKB string, dstKB string,\n) (*types.KnowledgeBase, *types.KnowledgeBase, error) {\n\tsourceKB, err := s.repo.GetKnowledgeBaseByID(ctx, srcKB)\n\tif err != nil {\n\t\tlogger.Errorf(ctx, \"Get source knowledge base failed: %v\", err)\n\t\treturn nil, nil, err\n\t}\n\tsourceKB.EnsureDefaults()\n\ttenantID := ctx.Value(types.TenantIDContextKey).(uint64)\n\tvar targetKB *types.KnowledgeBase\n\tif dstKB != \"\" {\n\t\ttargetKB, err = s.repo.GetKnowledgeBaseByID(ctx, dstKB)\n // ...\n }\n // ...\n}\n```\n\n\n> Note: until now, the tenant ID is correctly set in context to the attacker’s tenant (from the payload), which can be used to prevent cross-tenant access.\n\nHowever, the repository method `GetKnowledgeBaseByID` loads knowledge bases by `id` only, allowing cross-tenant reads (see `internal/application/repository/knowledgebase.go`).\n\n```go\nfunc (r *knowledgeBaseRepository) GetKnowledgeBaseByID(ctx context.Context, id string) (*types.KnowledgeBase, error) {\n\tvar kb types.KnowledgeBase\n\tif err := r.db.WithContext(ctx).Where(\"id = ?\", id).First(&kb).Error; err != nil {\n\t\tif errors.Is(err, gorm.ErrRecordNotFound) {\n\t\t\treturn nil, ErrKnowledgeBaseNotFound\n\t\t}\n\t\treturn nil, err\n\t}\n\treturn &kb, nil\n}\n```\n\nThe data access layer fails to enforce tenant isolation because `GetKnowledgeBaseByID` only filters by ID and ignores the `tenant_id` present in the context. A secure implementation should enforce a tenant-scoped lookup (e.g., `WHERE id = ? AND tenant_id = ?`) or use a tenant-aware repository API to prevent cross-tenant access.\n\nService shallow-copies the KB configuration by calling `GetKnowledgeBaseByID(ctx, srcKB)` for the source KB, then creates a new KB under the attacker’s tenant while copying fields from the victim KB (`internal/application/service/knowledgebase.go`):\n\n```go\nsourceKB, err := s.repo.GetKnowledgeBaseByID(ctx, srcKB) // not tenant-scoped\n...\ntargetKB = &types.KnowledgeBase{\n ID: uuid.New().String(),\n Name: sourceKB.Name,\n Type: sourceKB.Type,\n Description: sourceKB.Description,\n TenantID: tenantID,\n ChunkingConfig: sourceKB.ChunkingConfig,\n ImageProcessingConfig: sourceKB.ImageProcessingConfig,\n EmbeddingModelID: sourceKB.EmbeddingModelID,\n SummaryModelID: sourceKB.SummaryModelID,\n VLMConfig: sourceKB.VLMConfig,\n StorageConfig: sourceKB.StorageConfig,\n FAQConfig: faqConfig,\n}\ntargetKB.EnsureDefaults()\n if err := s.repo.CreateKnowledgeBase(ctx, targetKB); err != nil {\n return nil, nil, err\n }\n}\n```\n\n### PoC\n\nPrecondition: Attacker is authenticated in Tenant A and can obtain (or guess) a victim's knowledge base UUID belonging to Tenant B.\n\n1) Authenticate as Tenant A and obtain a bearer token or API key.\n\n2) Start a cross-tenant clone using the victim’s knowledge base ID as `source_id`:\n\n```bash\ncurl -X POST http://localhost:8088/api/v1/knowledge-bases/copy \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"source_id\":\"\",\"target_id\":\"\"}'\n```\n\n3) Observe that the task is accepted:\n- HTTP `200 OK`\n- Response contains a `task_id` and a message like `\"Knowledge base copy task started\"`.\n\n4) After the async task completes, a new knowledge base appears under Tenant A containing copied content/config from Tenant B.\n\n> Note: the copy can succeed even when models referenced by the source KB do not exist in the attacker tenant, indicating the workflow does not validate model ownership during copy.\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/8313fa44-5d5d-43f4-8ebd-f465c5a9d56e\n\n### Impact\n\nThis is a Broken Access Control (BOLA/IDOR) vulnerability enabling cross-tenant data exfiltration:\n\n- Any authenticated user can trigger a clone of a victim tenant’s knowledge base into their own tenant.\n- Results in bulk disclosure/duplication of knowledge base contents (documents/FAQ entries/chunks), plus associated configuration.", "title": "github - https://github.com/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "description", "text": "### Summary\nA cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants, making the impact critical.\n\n### Details\n\nThe `POST /api/v1/knowledge-bases/copy` endpoint enqueues an asynchronous KB clone task using the caller-supplied `source_id` without verifying ownership (see `internal/handler/knowledgebase.go`).\n```go\n// Create KB clone payload\npayload := types.KBClonePayload{\n TenantID: tenantID.(uint64),\n TaskID: taskID,\n SourceID: req.SourceID, // from attacker's input\n TargetID: req.TargetID,\n}\n\npayloadBytes, err := json.Marshal(payload)\nif err != nil {\n logger.Errorf(ctx, \"Failed to marshal KB clone payload: %v\", err)\n c.Error(errors.NewInternalServerError(\"Failed to create task\"))\n return\n}\n\n// Enqueue KB clone task to Asynq\ntask := asynq.NewTask(types.TypeKBClone, payloadBytes,\nasynq.TaskID(taskID), asynq.Queue(\"default\"), asynq.MaxRetry(3)) // enqueue task\ninfo, err := h.asynqClient.Enqueue(task)\nif err != nil {\n logger.Errorf(ctx, \"Failed to enqueue KB clone task: %v\", err)\n c.Error(errors.NewInternalServerError(\"Failed to enqueue task\"))\n return\n}\n```\n\nThen, the asynq task handler (`ProcessKBClone`) invokes the `CopyKnowledgeBase` service method to perform the clone operation (see `internal/application/service/knowledge.go`):\n\n```go\n// Get source and target knowledge bases\nsrcKB, dstKB, err := s.kbService.CopyKnowledgeBase(ctx, payload.SourceID, payload.TargetID)\nif err != nil {\n logger.Errorf(ctx, \"Failed to copy knowledge base: %v\", err)\n handleError(progress, err, \"Failed to copy knowledge base configuration\")\n return err\n}\n```\n\nAfter that, the `CopyKnowledgeBase` method calls the repository method to load the source knowledge base (see `internal/application/service/knowledgebase.go`):\n\n```go\nfunc (s *knowledgeBaseService) CopyKnowledgeBase(ctx context.Context,\n\tsrcKB string, dstKB string,\n) (*types.KnowledgeBase, *types.KnowledgeBase, error) {\n\tsourceKB, err := s.repo.GetKnowledgeBaseByID(ctx, srcKB)\n\tif err != nil {\n\t\tlogger.Errorf(ctx, \"Get source knowledge base failed: %v\", err)\n\t\treturn nil, nil, err\n\t}\n\tsourceKB.EnsureDefaults()\n\ttenantID := ctx.Value(types.TenantIDContextKey).(uint64)\n\tvar targetKB *types.KnowledgeBase\n\tif dstKB != \"\" {\n\t\ttargetKB, err = s.repo.GetKnowledgeBaseByID(ctx, dstKB)\n // ...\n }\n // ...\n}\n```\n\n\n> Note: until now, the tenant ID is correctly set in context to the attacker’s tenant (from the payload), which can be used to prevent cross-tenant access.\n\nHowever, the repository method `GetKnowledgeBaseByID` loads knowledge bases by `id` only, allowing cross-tenant reads (see `internal/application/repository/knowledgebase.go`).\n\n```go\nfunc (r *knowledgeBaseRepository) GetKnowledgeBaseByID(ctx context.Context, id string) (*types.KnowledgeBase, error) {\n\tvar kb types.KnowledgeBase\n\tif err := r.db.WithContext(ctx).Where(\"id = ?\", id).First(&kb).Error; err != nil {\n\t\tif errors.Is(err, gorm.ErrRecordNotFound) {\n\t\t\treturn nil, ErrKnowledgeBaseNotFound\n\t\t}\n\t\treturn nil, err\n\t}\n\treturn &kb, nil\n}\n```\n\nThe data access layer fails to enforce tenant isolation because `GetKnowledgeBaseByID` only filters by ID and ignores the `tenant_id` present in the context. A secure implementation should enforce a tenant-scoped lookup (e.g., `WHERE id = ? AND tenant_id = ?`) or use a tenant-aware repository API to prevent cross-tenant access.\n\nService shallow-copies the KB configuration by calling `GetKnowledgeBaseByID(ctx, srcKB)` for the source KB, then creates a new KB under the attacker’s tenant while copying fields from the victim KB (`internal/application/service/knowledgebase.go`):\n\n```go\nsourceKB, err := s.repo.GetKnowledgeBaseByID(ctx, srcKB) // not tenant-scoped\n...\ntargetKB = &types.KnowledgeBase{\n ID: uuid.New().String(),\n Name: sourceKB.Name,\n Type: sourceKB.Type,\n Description: sourceKB.Description,\n TenantID: tenantID,\n ChunkingConfig: sourceKB.ChunkingConfig,\n ImageProcessingConfig: sourceKB.ImageProcessingConfig,\n EmbeddingModelID: sourceKB.EmbeddingModelID,\n SummaryModelID: sourceKB.SummaryModelID,\n VLMConfig: sourceKB.VLMConfig,\n StorageConfig: sourceKB.StorageConfig,\n FAQConfig: faqConfig,\n}\ntargetKB.EnsureDefaults()\n if err := s.repo.CreateKnowledgeBase(ctx, targetKB); err != nil {\n return nil, nil, err\n }\n}\n```\n\n### PoC\n\nPrecondition: Attacker is authenticated in Tenant A and can obtain (or guess) a victim's knowledge base UUID belonging to Tenant B.\n\n1) Authenticate as Tenant A and obtain a bearer token or API key.\n\n2) Start a cross-tenant clone using the victim’s knowledge base ID as `source_id`:\n\n```bash\ncurl -X POST http://localhost:8088/api/v1/knowledge-bases/copy \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"source_id\":\"\",\"target_id\":\"\"}'\n```\n\n3) Observe that the task is accepted:\n- HTTP `200 OK`\n- Response contains a `task_id` and a message like `\"Knowledge base copy task started\"`.\n\n4) After the async task completes, a new knowledge base appears under Tenant A containing copied content/config from Tenant B.\n\n> Note: the copy can succeed even when models referenced by the source KB do not exist in the attacker tenant, indicating the workflow does not validate model ownership during copy.\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/8313fa44-5d5d-43f4-8ebd-f465c5a9d56e\n\n### Impact\n\nThis is a Broken Access Control (BOLA/IDOR) vulnerability enabling cross-tenant data exfiltration:\n\n- Any authenticated user can trigger a clone of a victim tenant’s knowledge base into their own tenant.\n- Results in bulk disclosure/duplication of knowledge base contents (documents/FAQ entries/chunks), plus associated configuration.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-8rf9-c59g-f82f.json?alt=media" }, { "category": "description", "text": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants. This issue has been patched in version 0.3.0.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-30857" }, { "category": "description", "text": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants. This issue has been patched in version 0.3.0.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-30857" }, { "category": "description", "text": "### Summary\nA cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants, making the impact critical.\n\n### Details\n\nThe `POST /api/v1/knowledge-bases/copy` endpoint enqueues an asynchronous KB clone task using the caller-supplied `source_id` without verifying ownership (see `internal/handler/knowledgebase.go`).\n```go\n// Create KB clone payload\npayload := types.KBClonePayload{\n TenantID: tenantID.(uint64),\n TaskID: taskID,\n SourceID: req.SourceID, // from attacker's input\n TargetID: req.TargetID,\n}\n\npayloadBytes, err := json.Marshal(payload)\nif err != nil {\n logger.Errorf(ctx, \"Failed to marshal KB clone payload: %v\", err)\n c.Error(errors.NewInternalServerError(\"Failed to create task\"))\n return\n}\n\n// Enqueue KB clone task to Asynq\ntask := asynq.NewTask(types.TypeKBClone, payloadBytes,\nasynq.TaskID(taskID), asynq.Queue(\"default\"), asynq.MaxRetry(3)) // enqueue task\ninfo, err := h.asynqClient.Enqueue(task)\nif err != nil {\n logger.Errorf(ctx, \"Failed to enqueue KB clone task: %v\", err)\n c.Error(errors.NewInternalServerError(\"Failed to enqueue task\"))\n return\n}\n```\n\nThen, the asynq task handler (`ProcessKBClone`) invokes the `CopyKnowledgeBase` service method to perform the clone operation (see `internal/application/service/knowledge.go`):\n\n```go\n// Get source and target knowledge bases\nsrcKB, dstKB, err := s.kbService.CopyKnowledgeBase(ctx, payload.SourceID, payload.TargetID)\nif err != nil {\n logger.Errorf(ctx, \"Failed to copy knowledge base: %v\", err)\n handleError(progress, err, \"Failed to copy knowledge base configuration\")\n return err\n}\n```\n\nAfter that, the `CopyKnowledgeBase` method calls the repository method to load the source knowledge base (see `internal/application/service/knowledgebase.go`):\n\n```go\nfunc (s *knowledgeBaseService) CopyKnowledgeBase(ctx context.Context,\n\tsrcKB string, dstKB string,\n) (*types.KnowledgeBase, *types.KnowledgeBase, error) {\n\tsourceKB, err := s.repo.GetKnowledgeBaseByID(ctx, srcKB)\n\tif err != nil {\n\t\tlogger.Errorf(ctx, \"Get source knowledge base failed: %v\", err)\n\t\treturn nil, nil, err\n\t}\n\tsourceKB.EnsureDefaults()\n\ttenantID := ctx.Value(types.TenantIDContextKey).(uint64)\n\tvar targetKB *types.KnowledgeBase\n\tif dstKB != \"\" {\n\t\ttargetKB, err = s.repo.GetKnowledgeBaseByID(ctx, dstKB)\n // ...\n }\n // ...\n}\n```\n\n\n> Note: until now, the tenant ID is correctly set in context to the attacker’s tenant (from the payload), which can be used to prevent cross-tenant access.\n\nHowever, the repository method `GetKnowledgeBaseByID` loads knowledge bases by `id` only, allowing cross-tenant reads (see `internal/application/repository/knowledgebase.go`).\n\n```go\nfunc (r *knowledgeBaseRepository) GetKnowledgeBaseByID(ctx context.Context, id string) (*types.KnowledgeBase, error) {\n\tvar kb types.KnowledgeBase\n\tif err := r.db.WithContext(ctx).Where(\"id = ?\", id).First(&kb).Error; err != nil {\n\t\tif errors.Is(err, gorm.ErrRecordNotFound) {\n\t\t\treturn nil, ErrKnowledgeBaseNotFound\n\t\t}\n\t\treturn nil, err\n\t}\n\treturn &kb, nil\n}\n```\n\nThe data access layer fails to enforce tenant isolation because `GetKnowledgeBaseByID` only filters by ID and ignores the `tenant_id` present in the context. A secure implementation should enforce a tenant-scoped lookup (e.g., `WHERE id = ? AND tenant_id = ?`) or use a tenant-aware repository API to prevent cross-tenant access.\n\nService shallow-copies the KB configuration by calling `GetKnowledgeBaseByID(ctx, srcKB)` for the source KB, then creates a new KB under the attacker’s tenant while copying fields from the victim KB (`internal/application/service/knowledgebase.go`):\n\n```go\nsourceKB, err := s.repo.GetKnowledgeBaseByID(ctx, srcKB) // not tenant-scoped\n...\ntargetKB = &types.KnowledgeBase{\n ID: uuid.New().String(),\n Name: sourceKB.Name,\n Type: sourceKB.Type,\n Description: sourceKB.Description,\n TenantID: tenantID,\n ChunkingConfig: sourceKB.ChunkingConfig,\n ImageProcessingConfig: sourceKB.ImageProcessingConfig,\n EmbeddingModelID: sourceKB.EmbeddingModelID,\n SummaryModelID: sourceKB.SummaryModelID,\n VLMConfig: sourceKB.VLMConfig,\n StorageConfig: sourceKB.StorageConfig,\n FAQConfig: faqConfig,\n}\ntargetKB.EnsureDefaults()\n if err := s.repo.CreateKnowledgeBase(ctx, targetKB); err != nil {\n return nil, nil, err\n }\n}\n```\n\n### PoC\n\nPrecondition: Attacker is authenticated in Tenant A and can obtain (or guess) a victim's knowledge base UUID belonging to Tenant B.\n\n1) Authenticate as Tenant A and obtain a bearer token or API key.\n\n2) Start a cross-tenant clone using the victim’s knowledge base ID as `source_id`:\n\n```bash\ncurl -X POST http://localhost:8088/api/v1/knowledge-bases/copy \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"source_id\":\"\",\"target_id\":\"\"}'\n```\n\n3) Observe that the task is accepted:\n- HTTP `200 OK`\n- Response contains a `task_id` and a message like `\"Knowledge base copy task started\"`.\n\n4) After the async task completes, a new knowledge base appears under Tenant A containing copied content/config from Tenant B.\n\n> Note: the copy can succeed even when models referenced by the source KB do not exist in the attacker tenant, indicating the workflow does not validate model ownership during copy.\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/8313fa44-5d5d-43f4-8ebd-f465c5a9d56e\n\n### Impact\n\nThis is a Broken Access Control (BOLA/IDOR) vulnerability enabling cross-tenant data exfiltration:\n\n- Any authenticated user can trigger a clone of a victim tenant’s knowledge base into their own tenant.\n- Results in bulk disclosure/duplication of knowledge base contents (documents/FAQ entries/chunks), plus associated configuration.", "title": "github - https://api.github.com/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "description", "text": "WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning in github.com/Tencent/WeKnora", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4640.json?alt=media" }, { "category": "description", "text": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone (duplicate) another tenant’s knowledge base into their own tenant by knowing/guessing the source knowledge base ID. This enables bulk data exfiltration (document/FAQ content) across tenants. This issue has been patched in version 0.3.0.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-30857.json?alt=media" }, { "category": "other", "text": "0.00033", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5770072", "CSAFPID-5771904", "CSAFPID-5772001", "CSAFPID-5364807", "CSAFPID-5364808", "CSAFPID-5364809", "CSAFPID-5364810", "CSAFPID-5364811", "CSAFPID-5364812", "CSAFPID-5364813", "CSAFPID-5364814", "CSAFPID-5364815", "CSAFPID-5364816", "CSAFPID-5364817", "CSAFPID-5909251", "CSAFPID-5909252", "CSAFPID-5909253", "CSAFPID-5909254", "CSAFPID-5909255", "CSAFPID-5909256", "CSAFPID-5909257", "CSAFPID-5909258", "CSAFPID-5909259", "CSAFPID-5909260" ] }, "references": [ { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-8rf9-c59g-f82f.json?alt=media" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30857" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-30857" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-30857" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/30xxx/CVE-2026-30857.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30857" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4640.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-30857.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-8rf9-c59g-f82f" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30857" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30857.json" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5364807", "CSAFPID-5364808", "CSAFPID-5364809", "CSAFPID-5364810", "CSAFPID-5364811", "CSAFPID-5364812", "CSAFPID-5364813", "CSAFPID-5364814", "CSAFPID-5364815", "CSAFPID-5364816", "CSAFPID-5364817", "CSAFPID-5770072", "CSAFPID-5771904", "CSAFPID-5772001", "CSAFPID-5909251", "CSAFPID-5909252", "CSAFPID-5909253", "CSAFPID-5909254", "CSAFPID-5909255", "CSAFPID-5909256", "CSAFPID-5909257", "CSAFPID-5909258", "CSAFPID-5909259", "CSAFPID-5909260" ] } ], "title": "CVE-2026-30857" } ] }