DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30856: CVE-2026-30856: Tool Execution Hijacking and Indirect Prompt Injection in Tencent WeKnora

#security #cve #cybersecurity

CVE-2026-30856: Tool Execution Hijacking and Indirect Prompt Injection in Tencent WeKnora

Vulnerability ID: CVE-2026-30856
CVSS Score: 5.9
Published: 2026-03-06

The Tencent WeKnora framework prior to version 0.3.0 contains a vulnerability in the Model Context Protocol (MCP) client implementation. A flaw in tool identifier generation and registry management permits an attacker-controlled MCP server to overwrite legitimate tools via a naming collision. This enables the execution of indirect prompt injection attacks against the underlying large language model (LLM), facilitating unauthorized data exfiltration.

TL;DR

A naming collision vulnerability in WeKnora's MCP tool registry allows remote attackers to hijack tool execution. By registering a malicious MCP server, attackers can silently overwrite legitimate tool pointers and feed indirect prompt injections to the LLM, leading to the exfiltration of sensitive context.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-706
  • Attack Vector: Network
  • CVSS v3.1 Score: 5.9 (Medium)
  • EPSS Score: 0.04%
  • Exploit Status: Proof-of-Concept
  • CISA KEV: False

Affected Systems

  • Tencent WeKnora Core Framework
  • WeKnora Model Context Protocol (MCP) Client
  • WeKnora: < 0.3.0 (Fixed in: 0.3.0)

Code Analysis

Commit: 67fba06

Fixes the naming collision vulnerability by utilizing UUID-based identifiers and implementing a first-wins tool registration policy.

Commit: 43a2c64

Introduces ScriptValidator and a Docker-based sandbox to isolate MCP skill execution.

Mitigation Strategies

  • Upgrade Tencent WeKnora to version 0.3.0 or later.
  • Restrict MCP server registration to verified, internally controlled domains.
  • Enable and monitor application logs for duplicate tool registration attempts.
  • Implement network egress filtering to prevent unexpected outbound HTTP requests from LLM tools.

Remediation Steps:

  1. Identify all deployed instances of Tencent WeKnora running versions prior to 0.3.0.
  2. Update the WeKnora framework dependency to version 0.3.0.
  3. Verify the successful deployment of the new weknora-sandbox Docker environment to isolate skill execution.
  4. Audit currently registered MCP servers for unexpected or anomalous configurations.
  5. Monitor application logs for sudden shifts in LLM behavior or unprompted invocations of data exfiltration tools (e.g., web_fetch).

References

Read the full report for CVE-2026-30856 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)