{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30856", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.342Z", "datePublished": "2026-03-07T16:32:44.566Z", "dateUpdated": "2026-03-09T18:24:32.877Z"}, "containers": {"cna": {"title": "WeKnora: Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx"}], "affected": [{"vendor": "Tencent", "product": "WeKnora", "versions": [{"version": "< 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:32:44.566Z"}, "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0."}], "source": {"advisory": "GHSA-67q9-58vj-32qx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:52:22.657564Z", "id": "CVE-2026-30856", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:24:32.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30856", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:52:22.657564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:52:23.787Z"}}], "cna": {"title": "WeKnora: Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection", "source": {"advisory": "GHSA-67q9-58vj-32qx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Tencent", "product": "WeKnora", "versions": [{"status": "affected", "version": "< 0.3.0"}]}], "references": [{"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx", "name": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:32:44.566Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30856", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:24:32.877Z", "dateReserved": "2026-03-05T21:27:35.342Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:32:44.566Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F3180E7-F262-4100-96C2-4AB5730E75FF", "versionEndExcluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0."}, {"lang": "es", "value": "WeKnora es un framework impulsado por LLM dise\u00f1ado para la comprensi\u00f3n profunda de documentos y la recuperaci\u00f3n sem\u00e1ntica. Antes de la versi\u00f3n 0.3.0, una vulnerabilidad que implica colisi\u00f3n de nombres de herramientas e inyecci\u00f3n indirecta de prompts permite a un servidor MCP remoto malicioso secuestrar la ejecuci\u00f3n de herramientas. Al explotar una convenci\u00f3n de nombres ambigua en el cliente MCP (mcp_{service}_{tool}), un atacante puede registrar una herramienta maliciosa que sobrescribe una leg\u00edtima (por ejemplo, tavily_extract). Esto permite al atacante redirigir el flujo de ejecuci\u00f3n del LLM, exfiltrar prompts del sistema, contexto y potencialmente ejecutar otras herramientas con los privilegios del usuario. Este problema ha sido parcheado en la versi\u00f3n 0.3.0."}], "id": "CVE-2026-30856", "lastModified": "2026-04-13T14:43:36.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T17:15:53.210", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeKnora", "source": "cna", "vendor": "Tencent"}, "product": "weknora", "vendor": "tencent"}], "analysis": {"en": {"generated_at": "2026-04-16T10:47:08.110791+00:00", "value": {"mitigation_remediation": ["Upgrade WeKnora to version 0.3.0 or later to apply the vendor fix", "Configure strict tool\u2011name validation or enforce a whitelist to prevent ambiguous names from being registered", "Disable or restrict access to the remote MCP server if it is not needed, limiting tool registration to trusted entities"], "summary": {"action": "Patch", "impact": "Tool Execution Hijacking"}, "threat_synthesis": {"affected_systems": "Tencent WeKnora instances running any version prior to 0.3.0 are affected. Vulnerable versions allow a remote MCP server to register malicious tools; versions 0.3.0 and later contain a patch that eliminates ambiguous naming and protects tool registration integrity.", "description_and_impact": "The vulnerability in Tencent WeKnora allows a malicious remote MCP server to hijack tool execution through an ambiguous naming convention exercised by the MCP client. By registering a malicious tool that shares an identifier with a legitimate tool, an attacker can overwrite the legitimate tool, redirect Lake Learning Model (LLM) execution flow, exfiltrate system prompts and context, and potentially invoke other tools with the user\u2019s privileges. The weakness is an input validation flaw, classified as CWE\u2011706, which permits a takeover of the tool registry guardrails. The impact is limited to the scope of tool execution and data leakage rather than arbitrary code execution on the originating host.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% reflects a very low yet non\u2011zero probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog. Exploitation requires that an attacker control or compromise a remote MCP server; from there they can register a conflicting tool name. The attack vector is inferred to be remote, targeting the service endpoint that accepts tool submissions and performs the name lookup. No additional conditions such as privileged local access are required beyond remote control of the MCP server."}}}}, "created": "2026-03-09T10:04:54.627131+00:00", "updated": "2026-04-16T11:00:10.635084+00:00", "vendors": ["tencent", "tencent$PRODUCT$weknora"]}