{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/queryweaver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-10130"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["QueryWeaver"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","cve","web-vulnerability","queryweaver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-10130, exists in the QueryWeaver application. This flaw allows unauthenticated attackers to gain unauthorized access to existing user accounts. The vulnerability stems from the application's signup process: when a signup request is submitted with an email address corresponding to an existing user, QueryWeaver's underlying Cypher MERGE operation unconditionally creates and links a new session token to that user's identity \u003cem\u003ebefore\u003c/em\u003e verifying if the email already belongs to an existing account. As a result, the server returns a valid, authenticated session token directly to the attacker, completely bypassing any credential checks or user interaction, posing a significant risk to user data confidentiality and integrity. The vulnerability affects QueryWeaver instances where users can register.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable QueryWeaver application instance.\u003c/li\u003e\n\u003cli\u003eAttacker gathers publicly available or leaked information to identify a legitimate victim's email address associated with an existing QueryWeaver account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts and sends an HTTP POST request to the QueryWeaver application's signup route, including the victim's known email address in the request.\u003c/li\u003e\n\u003cli\u003eThe QueryWeaver application processes the signup request internally.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the application performs a Cypher MERGE operation that generates a new session token and links it to the existing user identity corresponding to the provided email, without prior authentication checks.\u003c/li\u003e\n\u003cli\u003eThe QueryWeaver server responds to the attacker's signup request, inadvertently returning the newly generated, valid authenticated session token associated with the victim's account.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts and utilizes the obtained session token in subsequent requests to the QueryWeaver application.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses authentication and gains full unauthorized access to the victim's QueryWeaver account, impersonating the legitimate user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-10130 grants unauthenticated attackers full control over victim accounts within the QueryWeaver application. This can lead to severe data breaches, including the exposure of sensitive personal and organizational data, financial fraud if linked to payment systems, and reputational damage. Attackers can view, modify, or delete account data, send messages, or perform any actions the legitimate user is authorized to perform. While specific victim counts or targeted sectors are not available in the provided information, any organization using QueryWeaver is at risk, particularly those handling confidential or critical data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-10130 immediately\u003c/strong\u003e by applying the latest security updates provided by the QueryWeaver vendor to all deployments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement HTTP logging\u003c/strong\u003e for the QueryWeaver webserver to monitor for suspicious or high volumes of signup attempts, especially those leading to immediate successful session establishment from unusual source IPs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor authentication logs\u003c/strong\u003e for QueryWeaver for unusual session activity associated with existing accounts that did not involve a prior login event, potentially indicating an authentication bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T23:17:32Z","date_published":"2026-07-18T23:17:32Z","id":"https://feed.craftedsignal.io/briefs/2026-07-queryweaver-auth-bypass/","summary":"CVE-2026-10130 describes an authentication bypass vulnerability in QueryWeaver, enabling unauthenticated attackers to obtain valid session tokens for existing user accounts by submitting a crafted signup request with a known victim's email address, leveraging a Cypher MERGE operation that unconditionally links a new token before checking for existing accounts.","title":"QueryWeaver Authentication Bypass via Signup Request (CVE-2026-10130)","url":"https://feed.craftedsignal.io/briefs/2026-07-queryweaver-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - QueryWeaver","version":"https://jsonfeed.org/version/1.1"}