CVE-2023-38976
Description
An issue in weaviate v.1.20.0 allows a remote attacker to cause a denial of service via the handleUnbatchedGraphQLRequest function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Weaviate v1.20.0 allows remote attackers to cause denial of service via the handleUnbatchedGraphQLRequest function.
Vulnerability
CVE-2023-38976 is a denial of service (DoS) vulnerability in Weaviate, an open-source vector database [1]. It affects version 1.20.0 and stems from a flaw in the handleUnbatchedGraphQLRequest function, which can be triggered remotely without authentication.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted GraphQL request to the vulnerable endpoint. The attack requires network access to the Weaviate instance but no pre-existing credentials [2]. The function fails to properly handle certain malformed or high-load requests, leading to resource exhaustion.
Impact
Successful exploitation results in a denial of service, causing the Weaviate server to become unresponsive or crash. This can disrupt applications relying on the database for vector search and data retrieval, impacting availability.
Mitigation
The vulnerability has been patched in Weaviate versions 1.18.6 [3] and 1.19.13 [4]. Users running version 1.20.0 should upgrade to the latest patched release immediately. No workarounds are documented.
- GitHub - weaviate/weaviate: Weaviate is an open-source vector database that stores both objects and vectors, allowing for the combination of vector search with structured filtering with the fault tolerance and scalability of a cloud-native database.
- NVD - CVE-2023-38976
- Release v1.18.6 - Fix vulnerability · weaviate/weaviate
- Release v1.19.13 - Fix vulnerability · weaviate/weaviate
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/weaviate/weaviateGo | >= 1.20.0, < 1.20.6 | 1.20.6 |
github.com/weaviate/weaviateGo | >= 1.19.0, < 1.19.13 | 1.19.13 |
github.com/weaviate/weaviateGo | < 1.18.6 | 1.18.6 |
Affected products
4- weaviate/weaviatedescription
- osv-coords3 versions
< 0+ 2 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.20.0, < 1.20.6
Patches
12a7b208d9acaVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-8697-479h-5mfpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38976ghsaADVISORY
- github.com/weaviate/weaviate/commit/2a7b208d9aca07e28969e3be82689c184ccf9118ghsaWEB
- github.com/weaviate/weaviate/issues/3258ghsaWEB
- github.com/weaviate/weaviate/pull/3431ghsaWEB
- github.com/weaviate/weaviate/releases/tag/v1.18.6ghsaWEB
- github.com/weaviate/weaviate/releases/tag/v1.19.13ghsaWEB
- github.com/weaviate/weaviate/releases/tag/v1.20.6ghsaWEB
- github.com/weaviate/weaviate/security/advisories/GHSA-8697-479h-5mfpghsaWEB
- aisec.today/Weaviate-26981c6c5f794077bd51d24c88cebf7amitre
News mentions
0No linked articles in our index yet.