CVE-2026-22688
Published: 10 January 2026
Summary
CVE-2026-22688 is a critical-severity Command Injection (CWE-77) vulnerability in Tencent Weknora. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating and sanitizing user-supplied inputs to stdio_config.command/args before subprocess execution.
Addresses the specific flaw in WeKnora prior to version 0.2.5 by requiring identification, reporting, and timely remediation through patching.
Limits the impact of injected commands by enforcing least privilege on authenticated users and server processes executing subprocesses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in a remotely accessible server enables exploitation of public-facing application (T1190) or remote services (T1210), facilitating arbitrary command execution (T1059).
NVD Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses…
more
using these injected values. This issue has been patched in version 0.2.5.
Deeper analysisAI
CVE-2026-22688 is a command injection vulnerability (CWE-77) affecting WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval. In versions prior to 0.2.5, the vulnerability enables authenticated users to inject malicious values into the stdio_config.command/args fields within MCP stdio settings. This injection causes the server to execute arbitrary subprocesses using the attacker-supplied values. The issue carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
An attacker with authenticated access to the WeKnora server can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the stdio_config parameters, the attacker can execute arbitrary commands as the server process, achieving high-impact confidentiality, integrity, and availability violations. The changed scope (S:C) amplifies the risk, as successful exploitation allows control over subprocesses that could lead to full server takeover, data exfiltration, or further lateral movement.
The vulnerability has been addressed in WeKnora version 0.2.5, as detailed in the project's GitHub security advisory (GHSA-78h3-63c4-5fqc) and corresponding patch commit (f7900a5e9a18c99d25cec9589ead9e4e59ce04bb). Security practitioners should prioritize upgrading to the patched version and review access controls for authenticated users interacting with MCP stdio configurations.
As an LLM-powered framework, this vulnerability highlights risks in AI/ML pipelines where untrusted inputs can propagate to system-level execution, though no evidence of real-world exploitation is reported in available sources.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm, mcp