CVE-2026-30856
Received Received - Intake
Tool Name Collision and Prompt Injection in WeKnora Enables Hijacking

Publication date: 2026-03-07

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30856
EUVD
EUVD-2026-10179
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tencent weknora to 0.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30856 is a moderate severity vulnerability in the WeKnora MCP client (versions up to 0.2.14) that allows a malicious remote MCP server to hijack tool execution by exploiting ambiguous naming conventions and indirect prompt injection.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the MCP client generates internal tool identifiers by concatenating service and tool names with underscores (format: mcp_{service}_{tool}) without proper validation. This allows a malicious server to register a tool with a name that collides with a legitimate tool, overwriting it silently.'}, {'type': 'paragraph', 'content': 'Additionally, the MCP client feeds tool descriptions and execution results directly back into the Large Language Model (LLM) context without sanitization. A malicious tool can exploit this by returning crafted instructions that the LLM interprets as trusted commands, effectively performing prompt injection.'}, {'type': 'paragraph', 'content': "An attacker operating a malicious MCP server can register a malicious tool mimicking a legitimate tool's name to hijack execution, then use indirect prompt injection to exfiltrate sensitive system prompts, context, and potentially execute other tools with the user's privileges."}, {'type': 'paragraph', 'content': 'This issue has been patched in WeKnora client version 0.3.0.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several impacts on users of the WeKnora MCP client:'}, {'type': 'list_item', 'content': "Unauthorized arbitrary tool execution within the user's MCP client context."}, {'type': 'list_item', 'content': 'Exfiltration of sensitive information including system prompts, context, and potentially credentials.'}, {'type': 'list_item', 'content': 'Privilege abuse allowing the attacker to perform actions on behalf of the user and access other tools or services.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the WeKnora MCP client is running a version prior to 0.3.0 and if it has registered tools from an untrusted or malicious MCP server that could cause tool name collisions.'}, {'type': 'paragraph', 'content': 'You can check the version of the WeKnora MCP client installed on your system to confirm if it is vulnerable (versions ≀ 0.2.14 are affected).'}, {'type': 'paragraph', 'content': "To detect suspicious tool registrations or executions, monitor network traffic for connections to unknown MCP servers or unusual tool names such as 'mcp_tavily_extract' which may indicate a malicious tool overwriting a legitimate one."}, {'type': 'paragraph', 'content': 'Commands to help detect this might include:'}, {'type': 'list_item', 'content': 'Check WeKnora MCP client version: `weknora_mcp_client --version` or equivalent command depending on installation.'}, {'type': 'list_item', 'content': "List registered MCP services and tools to identify suspicious entries, if such a command or log exists (e.g., inspecting configuration files or logs for tool names like 'mcp_tavily_extract')."}, {'type': 'list_item', 'content': 'Monitor network connections for unusual MCP server endpoints using tools like `netstat -anp | grep <weknora_process>` or `ss -tunp`.'}, {'type': 'list_item', 'content': 'Inspect logs or output of the MCP client for unexpected tool execution or prompt injection patterns.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade the WeKnora MCP client to version 0.3.0 or later, where this vulnerability has been patched.

Additional immediate steps include:

  • Avoid registering MCP services from untrusted or unknown servers to prevent malicious tool registration.
  • Implement validation and sanitization of tool names to prevent collisions and overwriting of legitimate tools.
  • Sanitize tool outputs before feeding them back into the LLM context to prevent indirect prompt injection.
  • Monitor and restrict network access to MCP servers to trusted endpoints only.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart