GO-2026-4638 — Vulnetix

GO-2026-4638 PUBLISHED

WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection in github.com/Tencent/WeKnora

Affected Products

Vendor	Product	Versions
github.com	Tencent/WeKnora	0, 0

Timeline

Mar 10, 2026 CVE Published
Mar 23, 2026 CVE Updated

References

https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx advisory
https://forum.cursor.com/t/mcp-tools-name-collision-causing-cross-service-tool-call-failures/70946 url
https://modelcontextprotocol-security.io/ttps/tool-poisoning/tool-name-conflict url
https://www.elastic.co/security-labs/mcp-tools-attack-defense-recommendations#tool-name-collision url

Open in Interactive Console →