Suse
CVE-2026-30856
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.
AnalysisAI
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.
Technical ContextAI
This vulnerability (CWE-706: Use of Incorrectly-Resolved Name or Reference) affects WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval.. WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM executi
RemediationAI
Fixed in version 0.3.0.. Restrict network access to the affected service where possible.
Same technique Code Injection
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-67q9-58vj-32qx