Cyber Resilience

CVE-2026-30247

MediumPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 8.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30247 is a medium-severity SSRF (CWE-918) vulnerability in Tencent Weknora. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30247 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval, in versions prior to 0.2.12. The issue resides in the "Import document via URL" feature, where the backend performs URL validation to block private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints, but neglects to validate HTTP redirect targets. This allows bypass via redirect chains, and Docker-specific addresses like host.docker.internal are also unblocked. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any unauthenticated attacker with network access can exploit this by submitting a malicious URL to the import feature that initiates a redirect chain leading to internal services. Exploitation requires high complexity due to crafting effective redirects, but successful attacks enable the server to fetch sensitive internal resources, resulting in high confidentiality impact through unauthorized data access, with no integrity or availability disruption.

The GitHub Security Advisory (GHSA-595m-wc8g-6qgc) confirms the issue has been patched in WeKnora version 0.2.12, recommending immediate upgrades for affected deployments.

As an LLM-powered framework, this SSRF vulnerability highlights risks in AI/ML pipelines where external document ingestion could expose backend infrastructure. No real-world exploitation has been reported.

EU & UK References

Vulnerability details

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery (SSRF) through HTTP redirects. While the backend implements comprehensive URL…

more

validation (blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints), it fails to validate redirect targets. An attacker can bypass all protections by using a redirect chain, forcing the server to access internal services. Additionally, Docker-specific internal addresses like host.docker.internal are not blocked. This issue has been patched in version 0.2.12.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing import URL feature directly enables T1190 exploitation; bypass of metadata/private IP blocks facilitates T1552.005 credential access and T1046 internal service discovery via crafted redirects.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30858Same product: Tencent Weknora
CVE-2026-30860Same product: Tencent Weknora
CVE-2026-30855Same product: Tencent Weknora
CVE-2026-22687Same product: Tencent Weknora
CVE-2026-30861Same product: Tencent Weknora
CVE-2026-22688Same product: Tencent Weknora
CVE-2026-30856Same product: Tencent Weknora
CVE-2026-27488Shared CWE-918
CVE-2026-5585Same vendor: Tencent
CVE-2026-35486Shared CWE-918

Affected Assets

tencent
weknora
≤ 0.2.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all URL inputs and redirect targets to block SSRF bypasses via HTTP redirect chains or unblocked Docker addresses.

prevent

Enforces boundary protection rules that deny server-initiated requests to internal/private endpoints even when initial URL validation is bypassed.

prevent

Enforces information flow policies that restrict the application from retrieving or exposing internal resources through unvalidated redirects.

References