Cyber Resilience

CVE-2026-30856

MediumPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS Score 0.0002 7.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30856 is a medium-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Tencent Weknora. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Hijack Execution Flow (T1574); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-30856 is a vulnerability in WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval, affecting versions prior to 0.3.0. It stems from tool name collision and indirect prompt injection in the MCP client, which uses an ambiguous naming convention of mcp_{service}_{tool}. This allows a malicious remote MCP server to register a tool with the same name as a legitimate one, such as tavily_extract, thereby hijacking tool execution.

An attacker controlling a malicious remote MCP server can exploit this issue, provided they have low privileges (PR:L), the attack requires high complexity (AC:H) and user interaction (UI:R), and is feasible over the network (AV:N). Successful exploitation redirects LLM execution flow, enabling exfiltration of system prompts and context, as well as potential execution of other tools under the user's privileges, resulting in high confidentiality impact (C:H) alongside low integrity (I:L) and availability (A:L) impacts, with a CVSS v3.1 base score of 5.9.

The GitHub security advisory at https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx confirms the issue has been patched in WeKnora version 0.3.0, addressing the naming collision vulnerability (CWE-706).

As an LLM-powered framework, this vulnerability highlights risks in AI/ML tool-calling mechanisms, particularly indirect prompt injection via external service integrations, though no real-world exploitation has been reported.

EU & UK References

Vulnerability details

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an…

more

ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, mcp, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
T1659 Content Injection Initial Access
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Tool name collision directly enables hijacking of LLM/tool execution flow (T1574); indirect prompt injection via malicious MCP server (T1659); resulting exfiltration of local system prompts/context (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30861Same product: Tencent Weknora
CVE-2026-22688Same product: Tencent Weknora
CVE-2026-30858Same product: Tencent Weknora
CVE-2026-30247Same product: Tencent Weknora
CVE-2026-30860Same product: Tencent Weknora
CVE-2026-30855Same product: Tencent Weknora
CVE-2026-22687Same product: Tencent Weknora
CVE-2026-5585Same vendor: Tencent
CVE-2025-63945Same vendor: Tencent
CVE-2025-63946Same vendor: Tencent

Affected Assets

tencent
weknora
≤ 0.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access decisions on tool registration and execution so a malicious MCP server cannot overwrite a legitimate tool name such as tavily_extract.

prevent

Controls information flows between the MCP client and remote servers, blocking the indirect prompt injection path that redirects LLM execution.

prevent

Validates tool names and service identifiers at registration time, directly mitigating the ambiguous mcp_{service}_{tool} collision that enables hijacking.

References