CVE-2026-22688
Unknown Unknown - Not Provided

Command Injection in WeKnora MCP stdio Allows Code Execution

Vulnerability report for CVE-2026-22688, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-07-06
AI Q&A
2026-01-10
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tencent weknora to 0.2.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-22688 is a critical command injection vulnerability in Tencent's WeKnora project affecting versions prior to 0.2.5. Authenticated users can inject arbitrary commands and arguments into the MCP stdio service configuration fields (`stdio_config.command` and `stdio_config.args`). These injected commands are executed by the server without proper validation or sanitization, allowing attackers to run arbitrary subprocesses. The vulnerability arises due to missing input validation, lack of authorization controls beyond bearer token authentication, and unsafe execution of user-supplied commands in the MCP stdio transport mechanism. [1]

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the server, allowing attackers to execute arbitrary commands. Potential impacts include file creation or modification, execution of malicious payloads, service disruption, information disclosure (such as leaking environment variables, configuration files, keys, and tokens), privilege escalation, lateral movement within the environment, and cross-tenant impact in shared backend deployments. Overall, it poses severe risks to the confidentiality, integrity, and availability of the affected system. [1]

Detection Guidance

This vulnerability can be detected by monitoring and inspecting API calls to the /api/v1/mcp-services endpoints, especially those that create, update, or test MCP services with transport_type set to stdio. Look for suspicious or unauthorized changes to stdio_config.command and stdio_config.args fields. Additionally, detection can involve checking for unexpected subprocess executions or side effects such as creation of unusual files (e.g., /tmp/RCE_ok.txt) on the server. Commands to detect signs of exploitation might include: 1) Checking running processes for unexpected commands injected via stdio_config: `ps aux | grep -E 'bash|sh|python|node'` 2) Searching for suspicious files created by injected commands: `ls -l /tmp/RCE_ok.txt` 3) Monitoring API access logs for POST or PUT requests to /api/v1/mcp-services with stdio transport and unusual command arguments. 4) Using network monitoring tools to detect unusual API calls or command executions. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Tencent WeKnora to version 0.2.5 or later, where the vulnerability has been patched. The patch introduces strict validation and allowlisting of commands, arguments, and environment variables for MCP stdio transport configurations, preventing command injection. If upgrading immediately is not possible, restrict access to the /api/v1/mcp-services endpoints to trusted administrators only, enforce strong authentication and authorization controls beyond bearer tokens, and monitor for suspicious activity as a temporary measure. Applying the security validation logic that checks commands against a whitelist and scans arguments and environment variables for dangerous patterns is critical to prevent exploitation. [2]

Compliance Impact

The vulnerability allows authenticated users to execute arbitrary commands on the server, leading to potential remote code execution, information disclosure, privilege escalation, and lateral movement. This can result in unauthorized access to sensitive data such as environment variables, configuration files, keys, tokens, and local files. Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of sensitive and personal data. Therefore, exploitation of this vulnerability could lead to violations of these regulations due to compromised confidentiality, integrity, and availability of protected data. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart