PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59093 weaviate CVE debrief

CVE-2026-59093 is a high-severity vulnerability in Weaviate, a cloud-native, modular, and open-source vector search engine. The vulnerability allows for role-assignment escalation, potentially leading to full administrative control of the database. Weaviate versions prior to 1.38.0 are affected. The vulnerability is caused by the assignRoleToUser and assignRoleToGroup handlers not verifying that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. This allows a user with only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to assign high-privilege custom roles, including the built-in admin role, to themselves or others.

Vendor
weaviate
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Users and administrators of Weaviate instances, especially those with high-privilege roles, should be aware of this vulnerability and take immediate action to upgrade to version 1.38.0 or later. Operators, platform administrators, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The assignRoleToUser and assignRoleToGroup handlers in Weaviate do not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. This allows a user with only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to assign high-privilege custom roles, including the built-in admin role, to themselves or others. The vulnerability affects Weaviate versions prior to 1.38.0.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Weaviate version 1.38.0 or later
  • Review and restrict role assignments for users and groups
  • Monitor for suspicious role assignment activities
  • Implement additional access controls and monitoring
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-02T20:17:07.410Z and last modified on 2026-07-07T16:14:10.787Z. The NVD entry is currently Analyzed. There is limited information available about the vulnerability beyond the official CVE and NVD records. Defenders should verify the affected scope and severity with the vendor and review the official advisory for guidance. The vulnerability affects Weaviate versions prior to 1.38.0.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T20:17:07.410Z and has not been modified since then. The NVD entry is currently Analyzed.