Cyber Resilience

CVE-2026-22687

MediumPublic PoC

Published: 10 January 2026

Published
10 January 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0035 27.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22687 is a medium-severity SQL Injection (CWE-89) vulnerability in Tencent Weknora. Its CVSS base score is 5.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22687 is a vulnerability in WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval. In versions prior to 0.2.5, enabling the Agent service allows users to invoke the database query tool. Insufficient backend validation enables attackers to use prompt-based bypass techniques to circumvent query restrictions.

Unauthenticated remote attackers can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). Exploitation evades restrictions to obtain sensitive information from the target server and database, with limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in the CVSS v3.1 base score of 5.6 under unchanged scope (S:U). The issue maps to CWE-89.

The vulnerability has been patched in WeKnora version 0.2.5. Mitigation involves upgrading to this version or later. Details are provided in the GitHub security advisory at GHSA-pcwc-3fw3-8cqv and the patching commit da55707022c252dd2c20f8e18145b2d899ee06a1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can…

more

use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing LLM Agent service enables remote unauthenticated bypass of DB query restrictions (CWE-89/SQLi-like), directly facilitating initial access and data retrieval via T1190.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30860Same product: Tencent Weknora
CVE-2026-30855Same product: Tencent Weknora
CVE-2026-30247Same product: Tencent Weknora
CVE-2026-30858Same product: Tencent Weknora
CVE-2026-30861Same product: Tencent Weknora
CVE-2026-22688Same product: Tencent Weknora
CVE-2026-30856Same product: Tencent Weknora
CVE-2026-5585Same vendor: Tencent
CVE-2024-10835Shared CWE-89
CVE-2026-32628Shared CWE-89

Affected Assets

tencent
weknora
≤ 0.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the database query tool, blocking the prompt-based bypasses that evade query restrictions.

prevent

Enforces backend authorization checks on the Agent service's database query capability so that only permitted queries can execute.

prevent

Controls information flows between the LLM Agent and the database, limiting unauthorized data exfiltration even if prompt restrictions are bypassed.

References