CVE-2026-30860
SQL Injection in WeKnora Enables Remote Code Execution
Publication date: 2026-03-07
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tencent | weknora | to 0.2.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30860 is a critical remote code execution (RCE) vulnerability in the WeKnora AI Database Query Tool, affecting versions prior to 0.2.12. The vulnerability arises because the tool's SQL validation system fails to recursively inspect certain PostgreSQL Abstract Syntax Tree (AST) node types, specifically array expressions (ArrayExpr) and row expressions (RowExpr). This incomplete validation allows attackers to embed dangerous PostgreSQL functions inside these expressions, bypassing all SQL injection protections."}, {'type': 'paragraph', 'content': 'Attackers can craft malicious SQL queries that include harmful PostgreSQL functions, such as pg_read_file, inside array or row expressions. These queries pass all validation phases because the vulnerable function does not check these node types. By exploiting this, an unauthenticated attacker can upload and execute a malicious shared library on the database server, achieving arbitrary code execution with database user privileges.'}, {'type': 'paragraph', 'content': 'The exploit involves reading files, uploading a compiled payload as a PostgreSQL shared library via large object operations, configuring PostgreSQL to load this library, and then triggering code execution on the server. This leads to full system compromise, including unauthorized data access, data manipulation, service disruption, and persistence.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete system compromise through remote code execution on the database server. An attacker can extract sensitive data such as database contents, system files, credentials, and API keys without authentication.
- Unauthorized data extraction
- Data manipulation, including record alteration, backdoor injection, and audit log tampering
- Service disruption such as table deletion, database crashes, and denial of service
- Establishment of persistence mechanisms like installing backdoors
- Lateral movement to other connected systems
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying whether the vulnerable versions of WeKnora (prior to 0.2.12) are in use and monitoring for suspicious SQL queries that exploit unvalidated PostgreSQL array and row expressions.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for SQL queries embedding dangerous PostgreSQL functions such as pg_read_file inside array expressions, for example:'}, {'type': 'paragraph', 'content': "SELECT name, ARRAY[pg_read_file('/etc/passwd'), 'safe-string'] FROM knowledge_bases LIMIT 1"}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, monitor database query logs for such patterns or unusual large object operations (lo_from_bytea, lo_put, lo_export) and configuration reload commands (pg_reload_conf).'}, {'type': 'paragraph', 'content': 'Suggested commands to check for suspicious activity might include:'}, {'type': 'list_item', 'content': 'Query PostgreSQL logs for usage of pg_read_file or large object functions:'}, {'type': 'list_item', 'content': "grep -iE 'pg_read_file|lo_from_bytea|lo_put|lo_export|pg_reload_conf' /var/log/postgresql/postgresql.log"}, {'type': 'list_item', 'content': 'Check active queries for suspicious array or row expressions:'}, {'type': 'list_item', 'content': "SELECT pid, query FROM pg_stat_activity WHERE query LIKE '%ARRAY[pg_read_file%' OR query LIKE '%RowExpr%';"}, {'type': 'paragraph', 'content': 'Also verify the version of WeKnora in use to confirm if it is vulnerable:'}, {'type': 'list_item', 'content': 'Check WeKnora version (method depends on deployment, e.g., application version command or package manager).'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade WeKnora to version 0.2.12 or later, where the vulnerability is patched by fixing the recursive validation of PostgreSQL array and row expressions.
- Restrict database user permissions to SELECT-only, disallowing execution of administrative or large object functions.
- Disable dynamic library loading in PostgreSQL by clearing the configuration parameters dynamic_library_path and session_preload_libraries.
- Implement a strict blocklist of dangerous PostgreSQL functions such as pg_read_file and large object functions.
These steps help prevent attackers from exploiting the SQL injection bypass and loading malicious shared libraries to achieve remote code execution.