Incorrect Privilege Assignment Affecting weaviate-1.34-compat package, versions *


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.29% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-WEAVIATE134COMPAT-17898112
  • published9 Jul 2026
  • disclosed2 Jul 2026

Introduced: 2 Jul 2026

NewCVE-2026-59093  (opens in a new tab)
CWE-266  (opens in a new tab)

How to fix?

There is no fixed version for Minimos:latest weaviate-1.34-compat.

NVD Description

Note: Versions mentioned in the description apply only to the upstream weaviate-1.34-compat package and not the weaviate-1.34-compat package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers (POST /authz/users/{id}/assign and /authz/groups/{id}/assign) authorize only that the caller may assign roles to the target user or group, not the permissions contained in the assigned roles, unlike role creation which enforces that a user can only create roles with permissions less than or equal to its own. A user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission can assign the built-in admin role, or any high-privilege custom role, to itself or others, escalating to full administrative control of the database.

CVSS Base Scores

version 3.1