VDB
CVE-2026-30856
CVE-2026-30856
PUBLISHED
CVSS 5.900000095367432 MEDIUM
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user's privileges. This issue has been patched in version 0.3.0.
EPSS 0.02% · 7.3th percentile
Risk Scores
CVSS v3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS Score
0.02%
7.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tencent | WeKnora | < 0.3.0, < 0.3.0 |
| github.com | Tencent/WeKnora | 0, 0 |
Timeline
- Mar 6, 2026 CVE Published
- Mar 7, 2026 PoC Published
- Mar 7, 2026 PoC Published
- Mar 8, 2026 EPSS Score
- Mar 9, 2026 CVE Updated
- Mar 9, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
References
- https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx url
- https://nvd.nist.gov/vuln/detail/CVE-2026-30856 advisory
- https://forum.cursor.com/t/mcp-tools-name-collision-causing-cross-service-tool-call-failures/70946 url
- https://github.com/Tencent/WeKnora package
- https://modelcontextprotocol-security.io/ttps/tool-poisoning/tool-name-conflict url
- https://www.elastic.co/security-labs/mcp-tools-attack-defense-recommendations#tool-name-collision url