CVE-2026-30861
Published: 07 March 2026
Summary
CVE-2026-30861 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tencent Weknora. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the OS command injection vulnerability by enforcing validation of MCP stdio configuration inputs to block bypasses like the npx node -p flag.
Requires timely patching of the specific command injection flaw, as evidenced by the fix in WeKnora version 0.2.10.
Limits the application's privileges to the minimum necessary, reducing the scope of compromise from arbitrary command execution with application privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via OS command injection (CWE-78) in a public-facing LLM framework service; enables T1190 exploitation of the exposed app and T1059.004 arbitrary Unix shell command execution after trivial account registration.
NVD Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. From version 0.2.5 to before version 0.2.10, an unauthenticated remote code execution (RCE) vulnerability exists in the MCP stdio configuration validation. The application allows unrestricted user registration,…
more
meaning any attacker can create an account and exploit the command injection flaw. Despite implementing a whitelist for allowed commands (npx, uvx) and blacklists for dangerous arguments and environment variables, the validation can be bypassed using the -p flag with npx node. This allows any attacker to execute arbitrary commands with the application's privileges, leading to complete system compromise. This issue has been patched in version 0.2.10.
Deeper analysisAI
CVE-2026-30861 is an unauthenticated remote code execution (RCE) vulnerability in the MCP stdio configuration validation of WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval. The flaw affects versions from 0.2.5 up to but not including 0.2.10. It stems from a command injection issue where validation whitelists commands like npx and uvx, along with blacklists for dangerous arguments and environment variables, but these can be bypassed using the -p flag with npx node, enabling arbitrary command execution with the application's privileges. The vulnerability is rated at CVSS 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-78 (OS Command Injection).
Any attacker can exploit this vulnerability due to WeKnora's unrestricted user registration, allowing account creation without authentication. Once registered, the attacker can leverage the command injection bypass in the MCP stdio configuration to execute arbitrary commands, resulting in complete system compromise with the privileges of the running application.
The GitHub security advisory at https://github.com/Tencent/WeKnora/security/advisories/GHSA-r55h-3rwj-hcmg confirms the issue has been patched in version 0.2.10, urging users to upgrade immediately.
As an LLM-powered framework, this vulnerability highlights risks in AI/ML tooling where semantic processing pipelines may expose RCE paths, though no real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm, mcp