CVE-2026-30856

MEDIUM 5.9

WeKnora: Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.

CWE	CWE-706
Vendor	tencent
Product	weknora
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for tencent weknora

Be the first to know when new medium vulnerabilities affecting tencent weknora are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Affected Versions

Tencent / WeKnora

< 0.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx