CVE-2026-11500 | Weaviate up to 1.37.7 Static API Key client.go validateConfig StaticApiKey authorization (Issue 11392)

A vulnerability identified as critical has been detected in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass.

This vulnerability is traded as CVE-2026-11500. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

You should upgrade the affected component.

CVE-2026-11500 | Weaviate up to 1.37.7 Static API Key client.go validateConfig StaticApiKey authorization (Issue 11392)

Post correlati

CVE-2026-30858 | Tencent WeKnora up to 0.2.x web_fetch server-side request forgery

CVE-2024-47764 | jshttp cookie up to 0.6.x injection (GHSA-pxg6-pf52-xh8x)

CVE-2025-9150 | Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317 violation_add.php?id=2 ID sql injection

CVE-2026-44602 | Tor up to 0.4.9.7 null pointer dereference