CVE-2026-8786
6.3 MEDIUMA vulnerability has been found in Tencent WeKnora up to 0.3.6
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-285, CWE-639
Affected products
| Vendor | Product |
|---|---|
| tencent | weknora |
Description
A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8786
- [Exploit reference]https://gist.github.com/YLChen-007/1cdc50418f29af7ae671466425e52c7b
- [Exploit reference]https://vuldb.com/submit/812172
- [Other]https://vuldb.com/vuln/364410
- [Other]https://vuldb.com/vuln/364410/cti
Related CVEs
Same CWE
- CVE-2026-53863 — OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs (7.1 HIGH)
- CVE-2026-10780 — The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2 (4.3 MEDIUM)
- CVE-2026-48599 — Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify res...
- CVE-2026-52699 — Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions (7.5 HIGH)
- CVE-2026-48872 — Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions (7.5 HIGH)