{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-30859",
"tracking": {
"current_release_date": "2026-03-25T19:19:22.843798Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-30859",
"initial_release_date": "2026-03-07T00:12:45.476957Z",
"revision_history": [
{
"date": "2026-03-07T00:12:45.476957Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-07T00:12:50.919874Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-07T00:39:53.658524Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-07T00:40:04.549031Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-07T17:25:27.060886Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-07T17:25:30.564251Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-07T17:38:53.358107Z",
"number": "7",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-07T17:39:01.688784Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-08T14:48:52.112817Z",
"number": "9",
"summary": "Source created.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-09T13:39:50.898157Z",
"number": "10",
"summary": "Description removed for source.| Description created for source.| References created (1)."
},
{
"date": "2026-03-09T18:12:52.779738Z",
"number": "11",
"summary": "Description removed for source.| Description created for source.| Products connected (1).| Products removed (1).| References created (1)."
},
{
"date": "2026-03-09T18:28:06.772147Z",
"number": "12",
"summary": "Products created (1).| Product Identifiers created (1)."
},
{
"date": "2026-03-09T18:28:09.931163Z",
"number": "13",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-09T18:39:13.274080Z",
"number": "14",
"summary": "Unknown change."
},
{
"date": "2026-03-19T15:29:11.832663Z",
"number": "15",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-19T15:29:14.789247Z",
"number": "16",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T09:33:48.662070Z",
"number": "17",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-25T18:15:33.303298Z",
"number": "18",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)."
},
{
"date": "2026-03-25T19:19:15.772647Z",
"number": "19",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (11).| Products created (7).| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-25T19:19:21.199296Z",
"number": "20",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "20"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<0.2.12",
"product": {
"name": "vers:unknown/<0.2.12",
"product_id": "CSAFPID-5768567"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<0.2.12",
"product": {
"name": "vers:unknown/>=0|<0.2.12",
"product_id": "CSAFPID-5764022"
}
}
],
"category": "product_name",
"name": "WeKnora"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<0.2.12",
"product": {
"name": "vers:unknown/<0.2.12",
"product_id": "CSAFPID-5772003",
"product_identification_helper": {
"cpe": "cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.1.0",
"product": {
"name": "vers:unknown/v0.1.0",
"product_id": "CSAFPID-5364807"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.1.1",
"product": {
"name": "vers:unknown/v0.1.1",
"product_id": "CSAFPID-5364808"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.1.2",
"product": {
"name": "vers:unknown/v0.1.2",
"product_id": "CSAFPID-5364809"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.1.3",
"product": {
"name": "vers:unknown/v0.1.3",
"product_id": "CSAFPID-5364810"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.1.5",
"product": {
"name": "vers:unknown/v0.1.5",
"product_id": "CSAFPID-5364811"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.1.6",
"product": {
"name": "vers:unknown/v0.1.6",
"product_id": "CSAFPID-5364812"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.0",
"product": {
"name": "vers:unknown/v0.2.0",
"product_id": "CSAFPID-5364813"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.1",
"product": {
"name": "vers:unknown/v0.2.1",
"product_id": "CSAFPID-5364814"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.10",
"product": {
"name": "vers:unknown/v0.2.10",
"product_id": "CSAFPID-5909251"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.11",
"product": {
"name": "vers:unknown/v0.2.11",
"product_id": "CSAFPID-5909252"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.2",
"product": {
"name": "vers:unknown/v0.2.2",
"product_id": "CSAFPID-5364815"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.3",
"product": {
"name": "vers:unknown/v0.2.3",
"product_id": "CSAFPID-5364816"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.4",
"product": {
"name": "vers:unknown/v0.2.4",
"product_id": "CSAFPID-5364817"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.5",
"product": {
"name": "vers:unknown/v0.2.5",
"product_id": "CSAFPID-5909253"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.6",
"product": {
"name": "vers:unknown/v0.2.6",
"product_id": "CSAFPID-5909254"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.7",
"product": {
"name": "vers:unknown/v0.2.7",
"product_id": "CSAFPID-5909255"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.8",
"product": {
"name": "vers:unknown/v0.2.8",
"product_id": "CSAFPID-5909256"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/v0.2.9",
"product": {
"name": "vers:unknown/v0.2.9",
"product_id": "CSAFPID-5909257"
}
}
],
"category": "product_name",
"name": "weknora"
}
],
"category": "vendor",
"name": "Tencent"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-30859",
"notes": [
{
"category": "description",
"text": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges. This issue has been patched in version 0.2.12.",
"title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-30859"
},
{
"category": "description",
"text": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges. This issue has been patched in version 0.2.12.",
"title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-30859"
},
{
"category": "description",
"text": "## Summary\nA broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (`models`, `messages`, `embeddings`), enabling unauthorized cross-tenant data access with user-level authentication privileges.\n\n---\n\n## Details\n\n### Root Cause\nThe vulnerability exists due to a mismatch between the queryable tables and the tables protected by tenant isolation in `internal/utils/inject.go`.\n\n**Tenant-isolated tables** (protected by automatic `WHERE tenant_id = X` clause):\n```\ntenants, knowledge_bases, knowledges, sessions, chunks\n```\n\n**Queryable tables** (allowed by `WithAllowedTables()` in `WithSecurityDefaults()`):\n```\ntenants, knowledge_bases, knowledges, sessions, messages, chunks, embeddings, models\n```\n\n**Gap**: The tables `messages`, `embeddings`, and `models` are queryable but NOT in the tenant isolation list. This means queries against these tables do NOT receive the automatic `WHERE tenant_id = X` filtering.\n\n### Vulnerable Code\n\n**File: `internal/utils/inject.go`**\n\n```go\nfunc WithTenantIsolation(tenantID uint64, tables ...string) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\tv.enableTenantInjection = true\n\t\tv.tenantID = tenantID\n\t\tv.tablesWithTenantID = make(map[string]bool)\n\t\tif len(tables) == 0 {\n\t\t\t// Default tables with tenant_id - MISSING: messages, embeddings, models\n\t\t\tv.tablesWithTenantID = map[string]bool{\n\t\t\t\t\"tenants\": true,\n\t\t\t\t\"knowledge_bases\": true,\n\t\t\t\t\"knowledges\": true,\n\t\t\t\t\"sessions\": true,\n\t\t\t\t\"chunks\": true,\n\t\t\t}\n\t\t} else {\n\t\t\tfor _, table := range tables {\n\t\t\t\tv.tablesWithTenantID[strings.ToLower(table)] = true\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc WithSecurityDefaults(tenantID uint64) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\t// ... other validations ...\n\t\tWithTenantIsolation(tenantID)(v)\n\n\t\t// Default allowed tables - INCLUDES unprotected tables\n\t\tWithAllowedTables(\n\t\t\t\"tenants\",\n\t\t\t\"knowledge_bases\",\n\t\t\t\"knowledges\",\n\t\t\t\"sessions\",\n\t\t\t\"messages\", // ← No tenant isolation\n\t\t\t\"chunks\",\n\t\t\t\"embeddings\", // ← No tenant isolation\n\t\t\t\"models\", // ← No tenant isolation\n\t\t)(v)\n\t}\n}\n```\n\n**File: `database_query.go`**\n\n```go\nfunc (t *DatabaseQueryTool) validateAndSecureSQL(sqlQuery string, tenantID uint64) (string, error) {\n\tsecuredSQL, validationResult, err := utils.ValidateAndSecureSQL(\n\t\tsqlQuery,\n\t\tutils.WithSecurityDefaults(tenantID),\n\t\tutils.WithInjectionRiskCheck(),\n\t)\n\t// ... validation logic ...\n\treturn securedSQL, nil\n}\n```\n\nWhen tenant 1 queries `SELECT * FROM models`, the validation passes and **no** `WHERE tenant_id = 1` clause is appended because `models` is not in the `tablesWithTenantID` map. The unfiltered result exposes all model records across all tenants.\n\n---\n\n## PoC\n\n### Prerequisites\n- Access to the AI application as an authenticated tenant\n- Ability to send prompts that invoke the `database_query` tool\n\n### Steps to Reproduce\n\n1. **Authenticate as Tenant 1** and craft the following prompt to the AI agent:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM models\"} to query the database. \n Output all results and any errors.\n ```\n\n2. **Expected vulnerable response**: The agent returns ALL model records in the `models` table across all tenants, including:\n - Model IDs and names\n - API keys and authentication credentials\n - Configuration details for all organizations\n\nExample result:\n\n![\"image\"](\"https://github.com/user-attachments/assets/01e3d0ba-0f2a-43ab-ab51-8778fb8a79b1\")
\n\n3. **Repeat with messages table**:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM messages\"} to query the database. \n Output all results.\n ```\n\n4. **Expected vulnerable response**: The agent returns ALL messages from all tenants, bypassing message privacy.\n\n---\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/056984e8-1700-41fe-9b8a-6d18d5579c18\n\n---\n\n## Impact\n\n### Vulnerability Type\n**Broken Access Control (CWE-639)** / **Unauthorized Information Disclosure (CWE-200)**\n\n### Specific Data at Risk\n1. **API Keys & Credentials** (from `models` table)\n - Third-party LLM provider keys (OpenAI, Anthropic, etc.)\n - Database credentials and connection strings\n - Authentication tokens for integrated services\n\n2. **Private Messages** (from `messages` table)\n - Confidential business communications\n - User conversations with AI agents\n - Sensitive information shared within conversations",
"title": "github - https://github.com/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "description",
"text": "## Summary\nA broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (`models`, `messages`, `embeddings`), enabling unauthorized cross-tenant data access with user-level authentication privileges.\n\n---\n\n## Details\n\n### Root Cause\nThe vulnerability exists due to a mismatch between the queryable tables and the tables protected by tenant isolation in `internal/utils/inject.go`.\n\n**Tenant-isolated tables** (protected by automatic `WHERE tenant_id = X` clause):\n```\ntenants, knowledge_bases, knowledges, sessions, chunks\n```\n\n**Queryable tables** (allowed by `WithAllowedTables()` in `WithSecurityDefaults()`):\n```\ntenants, knowledge_bases, knowledges, sessions, messages, chunks, embeddings, models\n```\n\n**Gap**: The tables `messages`, `embeddings`, and `models` are queryable but NOT in the tenant isolation list. This means queries against these tables do NOT receive the automatic `WHERE tenant_id = X` filtering.\n\n### Vulnerable Code\n\n**File: `internal/utils/inject.go`**\n\n```go\nfunc WithTenantIsolation(tenantID uint64, tables ...string) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\tv.enableTenantInjection = true\n\t\tv.tenantID = tenantID\n\t\tv.tablesWithTenantID = make(map[string]bool)\n\t\tif len(tables) == 0 {\n\t\t\t// Default tables with tenant_id - MISSING: messages, embeddings, models\n\t\t\tv.tablesWithTenantID = map[string]bool{\n\t\t\t\t\"tenants\": true,\n\t\t\t\t\"knowledge_bases\": true,\n\t\t\t\t\"knowledges\": true,\n\t\t\t\t\"sessions\": true,\n\t\t\t\t\"chunks\": true,\n\t\t\t}\n\t\t} else {\n\t\t\tfor _, table := range tables {\n\t\t\t\tv.tablesWithTenantID[strings.ToLower(table)] = true\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc WithSecurityDefaults(tenantID uint64) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\t// ... other validations ...\n\t\tWithTenantIsolation(tenantID)(v)\n\n\t\t// Default allowed tables - INCLUDES unprotected tables\n\t\tWithAllowedTables(\n\t\t\t\"tenants\",\n\t\t\t\"knowledge_bases\",\n\t\t\t\"knowledges\",\n\t\t\t\"sessions\",\n\t\t\t\"messages\", // ← No tenant isolation\n\t\t\t\"chunks\",\n\t\t\t\"embeddings\", // ← No tenant isolation\n\t\t\t\"models\", // ← No tenant isolation\n\t\t)(v)\n\t}\n}\n```\n\n**File: `database_query.go`**\n\n```go\nfunc (t *DatabaseQueryTool) validateAndSecureSQL(sqlQuery string, tenantID uint64) (string, error) {\n\tsecuredSQL, validationResult, err := utils.ValidateAndSecureSQL(\n\t\tsqlQuery,\n\t\tutils.WithSecurityDefaults(tenantID),\n\t\tutils.WithInjectionRiskCheck(),\n\t)\n\t// ... validation logic ...\n\treturn securedSQL, nil\n}\n```\n\nWhen tenant 1 queries `SELECT * FROM models`, the validation passes and **no** `WHERE tenant_id = 1` clause is appended because `models` is not in the `tablesWithTenantID` map. The unfiltered result exposes all model records across all tenants.\n\n---\n\n## PoC\n\n### Prerequisites\n- Access to the AI application as an authenticated tenant\n- Ability to send prompts that invoke the `database_query` tool\n\n### Steps to Reproduce\n\n1. **Authenticate as Tenant 1** and craft the following prompt to the AI agent:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM models\"} to query the database. \n Output all results and any errors.\n ```\n\n2. **Expected vulnerable response**: The agent returns ALL model records in the `models` table across all tenants, including:\n - Model IDs and names\n - API keys and authentication credentials\n - Configuration details for all organizations\n\nExample result:\n\n\n\n3. **Repeat with messages table**:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM messages\"} to query the database. \n Output all results.\n ```\n\n4. **Expected vulnerable response**: The agent returns ALL messages from all tenants, bypassing message privacy.\n\n---\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/056984e8-1700-41fe-9b8a-6d18d5579c18\n\n---\n\n## Impact\n\n### Vulnerability Type\n**Broken Access Control (CWE-639)** / **Unauthorized Information Disclosure (CWE-200)**\n\n### Specific Data at Risk\n1. **API Keys & Credentials** (from `models` table)\n - Third-party LLM provider keys (OpenAI, Anthropic, etc.)\n - Database credentials and connection strings\n - Authentication tokens for integrated services\n\n2. **Private Messages** (from `messages` table)\n - Confidential business communications\n - User conversations with AI agents\n - Sensitive information shared within conversations",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-2f4c-vrjq-rcgv.json?alt=media"
},
{
"category": "description",
"text": "## Summary\nA broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (`models`, `messages`, `embeddings`), enabling unauthorized cross-tenant data access with user-level authentication privileges.\n\n---\n\n## Details\n\n### Root Cause\nThe vulnerability exists due to a mismatch between the queryable tables and the tables protected by tenant isolation in `internal/utils/inject.go`.\n\n**Tenant-isolated tables** (protected by automatic `WHERE tenant_id = X` clause):\n```\ntenants, knowledge_bases, knowledges, sessions, chunks\n```\n\n**Queryable tables** (allowed by `WithAllowedTables()` in `WithSecurityDefaults()`):\n```\ntenants, knowledge_bases, knowledges, sessions, messages, chunks, embeddings, models\n```\n\n**Gap**: The tables `messages`, `embeddings`, and `models` are queryable but NOT in the tenant isolation list. This means queries against these tables do NOT receive the automatic `WHERE tenant_id = X` filtering.\n\n### Vulnerable Code\n\n**File: `internal/utils/inject.go`**\n\n```go\nfunc WithTenantIsolation(tenantID uint64, tables ...string) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\tv.enableTenantInjection = true\n\t\tv.tenantID = tenantID\n\t\tv.tablesWithTenantID = make(map[string]bool)\n\t\tif len(tables) == 0 {\n\t\t\t// Default tables with tenant_id - MISSING: messages, embeddings, models\n\t\t\tv.tablesWithTenantID = map[string]bool{\n\t\t\t\t\"tenants\": true,\n\t\t\t\t\"knowledge_bases\": true,\n\t\t\t\t\"knowledges\": true,\n\t\t\t\t\"sessions\": true,\n\t\t\t\t\"chunks\": true,\n\t\t\t}\n\t\t} else {\n\t\t\tfor _, table := range tables {\n\t\t\t\tv.tablesWithTenantID[strings.ToLower(table)] = true\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc WithSecurityDefaults(tenantID uint64) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\t// ... other validations ...\n\t\tWithTenantIsolation(tenantID)(v)\n\n\t\t// Default allowed tables - INCLUDES unprotected tables\n\t\tWithAllowedTables(\n\t\t\t\"tenants\",\n\t\t\t\"knowledge_bases\",\n\t\t\t\"knowledges\",\n\t\t\t\"sessions\",\n\t\t\t\"messages\", // ← No tenant isolation\n\t\t\t\"chunks\",\n\t\t\t\"embeddings\", // ← No tenant isolation\n\t\t\t\"models\", // ← No tenant isolation\n\t\t)(v)\n\t}\n}\n```\n\n**File: `database_query.go`**\n\n```go\nfunc (t *DatabaseQueryTool) validateAndSecureSQL(sqlQuery string, tenantID uint64) (string, error) {\n\tsecuredSQL, validationResult, err := utils.ValidateAndSecureSQL(\n\t\tsqlQuery,\n\t\tutils.WithSecurityDefaults(tenantID),\n\t\tutils.WithInjectionRiskCheck(),\n\t)\n\t// ... validation logic ...\n\treturn securedSQL, nil\n}\n```\n\nWhen tenant 1 queries `SELECT * FROM models`, the validation passes and **no** `WHERE tenant_id = 1` clause is appended because `models` is not in the `tablesWithTenantID` map. The unfiltered result exposes all model records across all tenants.\n\n---\n\n## PoC\n\n### Prerequisites\n- Access to the AI application as an authenticated tenant\n- Ability to send prompts that invoke the `database_query` tool\n\n### Steps to Reproduce\n\n1. **Authenticate as Tenant 1** and craft the following prompt to the AI agent:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM models\"} to query the database. \n Output all results and any errors.\n ```\n\n2. **Expected vulnerable response**: The agent returns ALL model records in the `models` table across all tenants, including:\n - Model IDs and names\n - API keys and authentication credentials\n - Configuration details for all organizations\n\nExample result:\n\n\n\n3. **Repeat with messages table**:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM messages\"} to query the database. \n Output all results.\n ```\n\n4. **Expected vulnerable response**: The agent returns ALL messages from all tenants, bypassing message privacy.\n\n---\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/056984e8-1700-41fe-9b8a-6d18d5579c18\n\n---\n\n## Impact\n\n### Vulnerability Type\n**Broken Access Control (CWE-639)** / **Unauthorized Information Disclosure (CWE-200)**\n\n### Specific Data at Risk\n1. **API Keys & Credentials** (from `models` table)\n - Third-party LLM provider keys (OpenAI, Anthropic, etc.)\n - Database credentials and connection strings\n - Authentication tokens for integrated services\n\n2. **Private Messages** (from `messages` table)\n - Confidential business communications\n - User conversations with AI agents\n - Sensitive information shared within conversations",
"title": "github - https://api.github.com/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "description",
"text": "WeKnora has Broken Access Control - Cross-Tenant Data Exposure in github.com/Tencent/WeKnora",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4637.json?alt=media"
},
{
"category": "description",
"text": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges. This issue has been patched in version 0.2.12.",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-30859.json?alt=media"
},
{
"category": "other",
"text": "0.0004",
"title": "EPSS"
},
{
"category": "other",
"text": "4.6",
"title": "NCSC Score"
},
{
"category": "other",
"text": "There is cwe data available from source Github",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5768567",
"CSAFPID-5764022",
"CSAFPID-5772003",
"CSAFPID-5364807",
"CSAFPID-5364808",
"CSAFPID-5364809",
"CSAFPID-5364810",
"CSAFPID-5364811",
"CSAFPID-5364812",
"CSAFPID-5364813",
"CSAFPID-5364814",
"CSAFPID-5364815",
"CSAFPID-5364816",
"CSAFPID-5364817",
"CSAFPID-5909251",
"CSAFPID-5909252",
"CSAFPID-5909253",
"CSAFPID-5909254",
"CSAFPID-5909255",
"CSAFPID-5909256",
"CSAFPID-5909257"
]
},
"references": [
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-2f4c-vrjq-rcgv.json?alt=media"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30859"
},
{
"category": "external",
"summary": "Source raw - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-30859"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30859"
},
{
"category": "external",
"summary": "Source raw - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/30xxx/CVE-2026-30859.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30859"
},
{
"category": "external",
"summary": "Source raw - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4637.json?alt=media"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-30859.json?alt=media"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv",
"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-2f4c-vrjq-rcgv"
},
{
"category": "external",
"summary": "Reference - github; osv",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30859"
},
{
"category": "external",
"summary": "Reference - osv",
"url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30859.json"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-5364807",
"CSAFPID-5364808",
"CSAFPID-5364809",
"CSAFPID-5364810",
"CSAFPID-5364811",
"CSAFPID-5364812",
"CSAFPID-5364813",
"CSAFPID-5364814",
"CSAFPID-5364815",
"CSAFPID-5364816",
"CSAFPID-5364817",
"CSAFPID-5764022",
"CSAFPID-5768567",
"CSAFPID-5772003",
"CSAFPID-5909251",
"CSAFPID-5909252",
"CSAFPID-5909253",
"CSAFPID-5909254",
"CSAFPID-5909255",
"CSAFPID-5909256",
"CSAFPID-5909257"
]
}
],
"title": "CVE-2026-30859"
}
]
}