The vulnerability in Tencent WeKnora allows a malicious remote MCP server to hijack tool execution through an ambiguous naming convention exercised by the MCP client. By registering a malicious tool that shares an identifier with a legitimate tool, an attacker can overwrite the legitimate tool, redirect Lake Learning Model (LLM) execution flow, exfiltrate system prompts and context, and potentially invoke other tools with the user’s privileges. The weakness is an input validation flaw, classified as CWE‑706, which permits a takeover of the tool registry guardrails. The impact is limited to the scope of tool execution and data leakage rather than arbitrary code execution on the originating host.

Tencent WeKnora instances running any version prior to 0.3.0 are affected. Vulnerable versions allow a remote MCP server to register malicious tools; versions 0.3.0 and later contain a patch that eliminates ambiguous naming and protects tool registration integrity.

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% reflects a very low yet non‑zero probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog. Exploitation requires that an attacker control or compromise a remote MCP server; from there they can register a conflicting tool name. The attack vector is inferred to be remote, targeting the service endpoint that accepts tool submissions and performs the name lookup. No additional conditions such as privileged local access are required beyond remote control of the MCP server.