Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
Published: 2026-01-10
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

WeKnora, the LLM‑powered document understanding framework, contains a command injection flaw in its MCP stdio configuration. The vulnerability permits an authenticated user to supply arbitrary values for stdio_config.command or args, which the server executes as system subprocesses. This enables an attacker to run any desired code with the privileges of the WeKnora service, granting complete control over the host. The flaw is a classic command injection (CWE‑77) and is quantified with a CVSS score of 10, indicating a deterministic critical impact.

Affected Systems

Deployments of Tencent’s WeKnora framework before version 0.2.5 are affected. This includes all installations of Tencent’s WeKnora before 0.2.5.

Risk and Exploitability

The EPSS score is below 1%, indicating a low probability of exploitation at this time, but the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access with rights to modify MCP stdio settings; once authenticated, the attacker can execute arbitrary commands, making the risk for confidentiality, integrity, and availability of the entire service instance extremely high. The severity remains at the maximum level due to the CVSS score of 10, and the official fix has been released in version 0.2.5.

Generated by OpenCVE AI on April 18, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WeKnora to version 0.2.5 or later to apply the official patch
  • Enforce strict authentication controls so that only trusted administrators can modify MCP stdio parameters
  • Review and harden configuration files by removing or disabling any custom stdio configurations that could allow arbitrary command execution

Generated by OpenCVE AI on April 18, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-78h3-63c4-5fqc WeKnora has Command Injection in MCP stdio test
History

Thu, 22 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tencent
Tencent weknora
Vendors & Products Tencent
Tencent weknora

Sat, 10 Jan 2026 04:15:00 +0000

Type Values Removed Values Added
Description WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
Title WeKnora has Command Injection in MCP stdio test
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Tencent Weknora
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T17:20:43.431Z

Reserved: 2026-01-08T19:23:09.854Z

Link: CVE-2026-22688

cve-icon Vulnrichment

Updated: 2026-01-12T17:20:29.771Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T04:16:01.837

Modified: 2026-01-22T14:39:17.193

Link: CVE-2026-22688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses