Medium severity5.0NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-11500

Description

Weaviate's Static API Key Handler allows authorization bypass via duplicate API keys, potentially leading to unauthorized access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Weaviate's Static API Key Handler allows authorization bypass via duplicate API keys, potentially leading to unauthorized access.

Vulnerability

A vulnerability exists in Weaviate versions up to 1.37.7 within the validateConfig function of the Static API Key Handler component (usecases/auth/authentication/apikey/client.go). The issue arises when duplicate static API keys are configured, allowing for an authorization bypass.

Exploitation

An attacker can exploit this vulnerability by configuring the Weaviate instance with duplicate static API keys. The specific exploitability is described as difficult, and it requires remote access. The attack involves setting up two Weaviate instances with the same static API key, but with the associated users in a different order, to trigger the bypass [2].

Impact

Successful exploitation of this vulnerability allows an attacker to bypass authorization controls. This could lead to unauthorized access to data or functionality within the Weaviate instance, depending on the privileges associated with the duplicated API keys.

Mitigation

This vulnerability is resolved in Weaviate version 1.38.0-rc.0, released on 2026-06-08 [4]. The fix is available via commit 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0 [3]. Users are advised to upgrade to the patched version to prevent exploitation.

References

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Weaviate/Weaviatereferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.37.7

Patches

40f2cc32279f

Merge pull request #11393 from 3em0/fix/11392-static-api-key-duplicates

https://github.com/weaviate/weaviateDirk KulawiakMay 22, 2026via nvd-ref

commit

2 files changed · +15 −0

usecases/auth/authentication/apikey/client.go+5 −0 modified

@@ -56,10 +56,15 @@ func (c *StaticApiKey) validateConfig() error {
 		return fmt.Errorf("need at least one valid allowed key")
 	}
 
+	seenKeys := make(map[string]struct{}, len(c.config.AllowedKeys))
 	for _, key := range c.config.AllowedKeys {
 		if len(key) == 0 {
 			return fmt.Errorf("keys cannot have length 0")
 		}
+		if _, ok := seenKeys[key]; ok {
+			return fmt.Errorf("keys must be unique")
+		}
+		seenKeys[key] = struct{}{}
 	}
 
 	if len(c.config.Users) < 1 {

usecases/auth/authentication/apikey/client_test.go+10 −0 modified

@@ -166,6 +166,16 @@ func Test_APIKeyClient(t *testing.T) {
 			expectConfigErr:    true,
 			expectConfigErrMsg: "length of users and keys must match, alternatively provide single user for all keys",
 		},
+		{
+			name: "duplicate keys",
+			config: config.StaticAPIKey{
+				Enabled:     true,
+				AllowedKeys: []string{"secret-key", "secret-key"},
+				Users:       []string{"jane", "jessica"},
+			},
+			expectConfigErr:    true,
+			expectConfigErrMsg: "keys must be unique",
+		},
 	}
 
 	for _, test := range tests {

Vulnerability mechanics

Root cause

"The static API key validator incorrectly accepts duplicate API keys, leading to authentication confusion."

Attack vector

An attacker can exploit this vulnerability by using a shared static API key that is configured for multiple users. The system authenticates the attacker using the first matching user in the configuration, which could be a high-privilege user. This allows the attacker to bypass authorization checks and perform actions with elevated privileges, as stated in [ref_id=1]. The attack is remotely executable but has high complexity and is difficult to exploit [ref_id=1].

Affected code

The vulnerability resides in the `validateConfig` function within the `client.go` file, located in `usecases/auth/authentication/apikey/`. Specifically, the logic for parsing and validating `AllowedKeys` did not prevent duplicate entries, leading to the issue described in [ref_id=1]. The commit `40f2cc32279f0f8a51016c3c6870a2c0c808e6c0` addresses this by modifying the `validateConfig` function to check for key uniqueness [ref_id=2].

What the fix does

The patch introduces a check to ensure that all configured static API keys are unique. A map is used to track seen keys during configuration validation. If a duplicate key is detected, the configuration process will now fail with an error, preventing the application from starting with an insecure configuration. This change ensures that each static API key maps to a single, unambiguous user, thereby resolving the privilege confusion vulnerability [ref_id=2].

Preconditions

configThe system must be configured with duplicate static API keys, where the same key is associated with multiple users.
authThe attacker must possess a static API key that is configured as a duplicate.

Reproduction

Build Weaviate from the affected source (commit `20f14bed78eddac098f84aad97204c0d86ad0c34`). Start a single-node instance with the same static API key configured twice, with an admin user listed before a lower-privileged user. Use the shared token to attempt to create a collection. The expected behavior is a 403 Forbidden error for the lower-privileged user, but the actual behavior is an HTTP/1.1 200 OK, indicating successful authentication as the admin user [ref_id=1].

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.325
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000