CVE-2026-22688
Command Injection in WeKnora MCP stdio Allows Code Execution
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tencent | weknora | to 0.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22688 is a critical command injection vulnerability in Tencent's WeKnora project affecting versions prior to 0.2.5. Authenticated users can inject arbitrary commands and arguments into the MCP stdio service configuration fields (`stdio_config.command` and `stdio_config.args`). These injected commands are executed by the server without proper validation or sanitization, allowing attackers to run arbitrary subprocesses. The vulnerability arises due to missing input validation, lack of authorization controls beyond bearer token authentication, and unsafe execution of user-supplied commands in the MCP stdio transport mechanism. [1]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the server, allowing attackers to execute arbitrary commands. Potential impacts include file creation or modification, execution of malicious payloads, service disruption, information disclosure (such as leaking environment variables, configuration files, keys, and tokens), privilege escalation, lateral movement within the environment, and cross-tenant impact in shared backend deployments. Overall, it poses severe risks to the confidentiality, integrity, and availability of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting API calls to the /api/v1/mcp-services endpoints, especially those that create, update, or test MCP services with transport_type set to stdio. Look for suspicious or unauthorized changes to stdio_config.command and stdio_config.args fields. Additionally, detection can involve checking for unexpected subprocess executions or side effects such as creation of unusual files (e.g., /tmp/RCE_ok.txt) on the server. Commands to detect signs of exploitation might include: 1) Checking running processes for unexpected commands injected via stdio_config: `ps aux | grep -E 'bash|sh|python|node'` 2) Searching for suspicious files created by injected commands: `ls -l /tmp/RCE_ok.txt` 3) Monitoring API access logs for POST or PUT requests to /api/v1/mcp-services with stdio transport and unusual command arguments. 4) Using network monitoring tools to detect unusual API calls or command executions. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Tencent WeKnora to version 0.2.5 or later, where the vulnerability has been patched. The patch introduces strict validation and allowlisting of commands, arguments, and environment variables for MCP stdio transport configurations, preventing command injection. If upgrading immediately is not possible, restrict access to the /api/v1/mcp-services endpoints to trusted administrators only, enforce strong authentication and authorization controls beyond bearer tokens, and monitor for suspicious activity as a temporary measure. Applying the security validation logic that checks commands against a whitelist and scans arguments and environment variables for dangerous patterns is critical to prevent exploitation. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to execute arbitrary commands on the server, leading to potential remote code execution, information disclosure, privilege escalation, and lateral movement. This can result in unauthorized access to sensitive data such as environment variables, configuration files, keys, tokens, and local files. Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of sensitive and personal data. Therefore, exploitation of this vulnerability could lead to violations of these regulations due to compromised confidentiality, integrity, and availability of protected data. [1]