CVE-2026-30856

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-07 17:15

Updated : 2026-03-09 13:35

NVD link : CVE-2026-30856

Mitre link : CVE-2026-30856

CVE.ORG link : CVE-2026-30856

JSON object : View

Products Affected

No product.

CWE

CWE-706

Use of Incorrectly-Resolved Name or Reference

{"id": "CVE-2026-30856", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 1.2}]}, "published": "2026-03-07T17:15:53.210", "references": [{"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx", "source": "security-advisories@github.com"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-706"}]}], "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0."}, {"lang": "es", "value": "WeKnora es un framework impulsado por LLM dise\u00f1ado para la comprensi\u00f3n profunda de documentos y la recuperaci\u00f3n sem\u00e1ntica. Antes de la versi\u00f3n 0.3.0, una vulnerabilidad que implica colisi\u00f3n de nombres de herramientas e inyecci\u00f3n indirecta de prompts permite a un servidor MCP remoto malicioso secuestrar la ejecuci\u00f3n de herramientas. Al explotar una convenci\u00f3n de nombres ambigua en el cliente MCP (mcp_{service}_{tool}), un atacante puede registrar una herramienta maliciosa que sobrescribe una leg\u00edtima (por ejemplo, tavily_extract). Esto permite al atacante redirigir el flujo de ejecuci\u00f3n del LLM, exfiltrar prompts del sistema, contexto y potencialmente ejecutar otras herramientas con los privilegios del usuario. Este problema ha sido parcheado en la versi\u00f3n 0.3.0."}], "lastModified": "2026-03-09T13:35:07.393", "sourceIdentifier": "security-advisories@github.com"}