CVE-2026-30856

Name of the Vulnerable Software and Affected Versions WeKnora versions prior to 0.3.0

Description WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval, is susceptible to a vulnerability involving tool name collision and indirect prompt injection. A malicious remote MCP server can hijack tool execution by exploiting an ambiguous naming convention in the MCP client (mcp {service} {tool}). An attacker can register a malicious tool that overwrites a legitimate one, such as tavily extract. This allows redirection of the LLM execution flow, exfiltration of system prompts and context, and potential execution of other tools with the user's privileges. The vulnerability arises from the client's tool name collision and unsanitized tool/metadata output. The client generates internal tool identifiers by sanitizing and joining the service name and tool name with underscores. The registry overwrites existing entries, allowing a malicious service to replace legitimate implementations. The client feeds MCP tool descriptions and execution results directly back into the LLM context without sanitization, enabling a malicious tool to return instructions (Prompt Injection) that the LLM interprets as trusted commands.

Recommendations Versions prior to 0.3.0 should be updated to version 0.3.0 or later.