CVE-2026-30247
Published: 07 March 2026
Summary
CVE-2026-30247 is a medium-severity SSRF (CWE-918) vulnerability in Tencent Weknora. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing import URL feature directly enables T1190 exploitation; bypass of metadata/private IP blocks facilitates T1552.005 credential access and T1046 internal service discovery via crafted redirects.
NVD Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery (SSRF) through HTTP redirects. While the backend implements comprehensive URL…
more
validation (blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints), it fails to validate redirect targets. An attacker can bypass all protections by using a redirect chain, forcing the server to access internal services. Additionally, Docker-specific internal addresses like host.docker.internal are not blocked. This issue has been patched in version 0.2.12.
Deeper analysisAI
CVE-2026-30247 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval, in versions prior to 0.2.12. The issue resides in the "Import document via URL" feature, where the backend performs URL validation to block private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints, but neglects to validate HTTP redirect targets. This allows bypass via redirect chains, and Docker-specific addresses like host.docker.internal are also unblocked. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any unauthenticated attacker with network access can exploit this by submitting a malicious URL to the import feature that initiates a redirect chain leading to internal services. Exploitation requires high complexity due to crafting effective redirects, but successful attacks enable the server to fetch sensitive internal resources, resulting in high confidentiality impact through unauthorized data access, with no integrity or availability disruption.
The GitHub Security Advisory (GHSA-595m-wc8g-6qgc) confirms the issue has been patched in WeKnora version 0.2.12, recommending immediate upgrades for affected deployments.
As an LLM-powered framework, this SSRF vulnerability highlights risks in AI/ML pipelines where external document ingestion could expose backend infrastructure. No real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm