PatchSiren cyber security CVE debrief
CVE-2026-59093 weaviate CVE debrief
CVE-2026-59093 is a high-severity vulnerability in Weaviate, a cloud-native, modular, and open-source vector search engine. The vulnerability allows for role-assignment escalation, potentially leading to full administrative control of the database. Weaviate versions prior to 1.38.0 are affected. The vulnerability is caused by the assignRoleToUser and assignRoleToGroup handlers not verifying that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. This allows a user with only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to assign high-privilege custom roles, including the built-in admin role, to themselves or others.
- Vendor
- weaviate
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-02
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-02
- Advisory updated
- 2026-07-07
Who should care
Users and administrators of Weaviate instances, especially those with high-privilege roles, should be aware of this vulnerability and take immediate action to upgrade to version 1.38.0 or later. Operators, platform administrators, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The assignRoleToUser and assignRoleToGroup handlers in Weaviate do not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. This allows a user with only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to assign high-privilege custom roles, including the built-in admin role, to themselves or others. The vulnerability affects Weaviate versions prior to 1.38.0.
Defensive priority
High
Recommended defensive actions
- Upgrade to Weaviate version 1.38.0 or later
- Review and restrict role assignments for users and groups
- Monitor for suspicious role assignment activities
- Implement additional access controls and monitoring
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-02T20:17:07.410Z and last modified on 2026-07-07T16:14:10.787Z. The NVD entry is currently Analyzed. There is limited information available about the vulnerability beyond the official CVE and NVD records. Defenders should verify the affected scope and severity with the vendor and review the official advisory for guidance. The vulnerability affects Weaviate versions prior to 1.38.0.
Official resources
-
CVE-2026-59093 CVE record
CVE.org
-
CVE-2026-59093 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T20:17:07.410Z and has not been modified since then. The NVD entry is currently Analyzed.