CVE-2026-30858
DNS Rebinding in WeKnora Web_Fetch Enables Internal Resource Access
Publication date: 2026-03-07
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tencent | weknora | to 0.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30858 is a DNS rebinding vulnerability in the web_fetch tool of the Tencent/WeKnora project, affecting versions prior to 0.3.0. It allows an unauthenticated attacker to bypass URL validation and access internal server resources by exploiting a time-of-check-to-time-of-use (TOCTOU) flaw.
During URL validation, the tool resolves the domain to a public IP address, which passes the check. However, when fetching content, the headless browser component independently resolves the domain again, which can then resolve to a private IP address. This mismatch enables the attacker to access sensitive internal services that should be protected.
The attacker achieves this by controlling a malicious domain that initially resolves to a public IP during validation and then to a private IP during execution, effectively bypassing the security check.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to internal server resources, including private IP addresses such as 127.0.0.1 and 192.168.x.x.
An attacker can exploit this to retrieve sensitive data from internal services, configuration files, and metadata endpoints like AWS IMDSv1.
The impact includes potential disclosure of credentials and secrets, which can compromise the confidentiality of your system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting a DNS rebinding attack simulation against the web_fetch tool in WeKnora versions prior to 0.3.0. A proof-of-concept involves setting up a DNS rebinding server that returns a public IP on the first DNS query and a private IP (such as 127.0.0.1) on subsequent queries with TTL set to zero to prevent caching.
You can run a local HTTP server on the backend (for example, using Python) to check if the web_fetch tool fetches content from internal services when given a malicious domain.
- Set up a local HTTP server: python -m http.server 8888
- Configure a DNS rebinding server to respond with a public IP initially and then a private IP (e.g., 127.0.0.1) on subsequent queries.
Monitor network traffic for unexpected requests from the web_fetch tool to private IP addresses after DNS resolution.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the WeKnora framework to version 0.3.0 or later, where this DNS rebinding vulnerability in the web_fetch tool has been patched.
Until the upgrade is applied, restrict or monitor the usage of the web_fetch tool to prevent it from accessing untrusted URLs that could exploit DNS rebinding.
Implement network-level protections such as firewall rules to block unauthorized access to internal IP addresses from the application.