PatchSiren cyber security CVE debrief
CVE-2026-11500 weaviate CVE debrief
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0.
- Vendor
- weaviate
- Product
- weaviate
- CVSS
- LOW 1.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Weaviate up to version 1.37.7 should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The vulnerability is caused by a flaw in the validateConfig function of the Static API Key Handler in Weaviate up to 1.37.7. This allows for authorization bypass, which can be exploited remotely with high complexity and difficult exploitability.
Defensive priority
LOW
Recommended defensive actions
- Upgrade to version 1.38.0-rc.0 or later to resolve this issue.
- Apply the patch with identifier 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0.
Evidence notes
The CVE record and details were sourced from official vulnerability databases and vendor information.
Official resources
CVE-2026-11500 was published on 2026-06-08T10:16:32.320Z and modified on 2026-06-08T14:57:14.757Z.