CVE-2026-30856
Published: 07 March 2026
Summary
CVE-2026-30856 is a medium-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Tencent Weknora. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Hijack Execution Flow (T1574); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Tool name collision directly enables hijacking of LLM/tool execution flow (T1574); indirect prompt injection via malicious MCP server (T1659); resulting exfiltration of local system prompts/context (T1005).
NVD Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an…
more
ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.
Deeper analysisAI
CVE-2026-30856 is a vulnerability in WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval, affecting versions prior to 0.3.0. It stems from tool name collision and indirect prompt injection in the MCP client, which uses an ambiguous naming convention of mcp_{service}_{tool}. This allows a malicious remote MCP server to register a tool with the same name as a legitimate one, such as tavily_extract, thereby hijacking tool execution.
An attacker controlling a malicious remote MCP server can exploit this issue, provided they have low privileges (PR:L), the attack requires high complexity (AC:H) and user interaction (UI:R), and is feasible over the network (AV:N). Successful exploitation redirects LLM execution flow, enabling exfiltration of system prompts and context, as well as potential execution of other tools under the user's privileges, resulting in high confidentiality impact (C:H) alongside low integrity (I:L) and availability (A:L) impacts, with a CVSS v3.1 base score of 5.9.
The GitHub security advisory at https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx confirms the issue has been patched in WeKnora version 0.3.0, addressing the naming collision vulnerability (CWE-706).
As an LLM-powered framework, this vulnerability highlights risks in AI/ML tool-calling mechanisms, particularly indirect prompt injection via external service integrations, though no real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm, prompt injection, mcp, mcp, llm