CVE-2026-10130
FalkorDB · QueryWeaver
QueryWeaver contains an authentication bypass vulnerability allowing unauthenticated attackers to obtain valid session tokens by submitting signup requests with known victim email addresses.
Executive summary
An authentication bypass vulnerability in FalkorDB QueryWeaver allows unauthenticated attackers to gain unauthorized access to existing user accounts.
Vulnerability
This is an authentication bypass issue (CWE-863) where the signup process fails to properly validate account ownership. An unauthenticated attacker can exploit this logic flaw to hijack active sessions for any registered user by simply providing their email address during a signup request.
Business impact
The ability to bypass authentication and hijack user sessions poses a severe risk to data integrity and privacy. With a CVSS score of 8.2, this vulnerability could allow unauthorized parties to access, modify, or delete sensitive data stored within the QueryWeaver platform.
Remediation
Immediate Action: Update QueryWeaver to version 0.3.1 or later to remediate the broken authentication logic in the signup workflow.
Proactive Monitoring: Audit user account creation logs for anomalous signup patterns, particularly those targeting existing high-privilege or sensitive user email addresses.
Compensating Controls: If immediate patching is not feasible, consider disabling public user registration or implementing stricter email domain verification processes.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
The vulnerability in QueryWeaver is critical and requires immediate attention to prevent account takeover. Administrators should apply the 0.3.1 patch as soon as possible and review existing user records for signs of unauthorized access or suspicious account modifications.