CVE-2026-22687
Published: 10 January 2026
Summary
CVE-2026-22687 is a medium-severity SQL Injection (CWE-89) vulnerability in Tencent Weknora. Its CVSS base score is 5.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22687 is a vulnerability in WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval. In versions prior to 0.2.5, enabling the Agent service allows users to invoke the database query tool. Insufficient backend validation enables attackers to use prompt-based bypass techniques to circumvent query restrictions.
Unauthenticated remote attackers can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). Exploitation evades restrictions to obtain sensitive information from the target server and database, with limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in the CVSS v3.1 base score of 5.6 under unchanged scope (S:U). The issue maps to CWE-89.
The vulnerability has been patched in WeKnora version 0.2.5. Mitigation involves upgrading to this version or later. Details are provided in the GitHub security advisory at GHSA-pcwc-3fw3-8cqv and the patching commit da55707022c252dd2c20f8e18145b2d899ee06a1.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1696
Vulnerability details
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can…
more
use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing LLM Agent service enables remote unauthenticated bypass of DB query restrictions (CWE-89/SQLi-like), directly facilitating initial access and data retrieval via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the database query tool, blocking the prompt-based bypasses that evade query restrictions.
Enforces backend authorization checks on the Agent service's database query capability so that only permitted queries can execute.
Controls information flows between the LLM Agent and the database, limiting unauthorized data exfiltration even if prompt restrictions are bypassed.