CVE-2025-11046 is a server-side request forgery (SSRF) vulnerability identified in Tencent WeKnora version 0.1.0, specifically affecting the function testEmbeddingModel within the API endpoint /api/v1/initialization/embedding/test. The vulnerability arises due to improper validation or sanitization of the baseUrl parameter, which an attacker can manipulate to coerce the server into making unauthorized HTTP requests to arbitrary internal or external resources. SSRF vulnerabilities can be exploited remotely without authentication or user interaction, allowing attackers to potentially access internal services, bypass firewalls, or perform reconnaissance on internal network infrastructure. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. The vendor, Tencent, has confirmed that this issue does not exist in the latest releases beyond version 0.1.0, recommending upgrading to a fixed version. Although no known exploits are currently observed in the wild, the public availability of the exploit code increases the risk of exploitation. This vulnerability is critical to address in environments where Tencent WeKnora 0.1.0 is deployed, especially in contexts where internal network security is paramount.

For European organizations, the SSRF vulnerability in Tencent WeKnora 0.1.0 poses a significant risk primarily in scenarios where the affected software is integrated into internal systems or cloud environments. Exploitation could allow attackers to pivot into internal networks, access sensitive internal services, or exfiltrate data by leveraging the server's trust relationships. This could lead to unauthorized access to confidential information, disruption of services, or further lateral movement within corporate networks. Given the medium severity, the impact on confidentiality, integrity, and availability is limited but non-negligible, especially in sectors with strict data protection regulations such as finance, healthcare, and government. The remote and unauthenticated nature of the exploit increases the threat surface, making it easier for attackers to target vulnerable deployments. Additionally, the public availability of exploit code could accelerate attack attempts. European organizations using Tencent WeKnora 0.1.0 should prioritize patching to mitigate potential risks and comply with data protection mandates like GDPR.

1. Immediate upgrade: Organizations should upgrade Tencent WeKnora to the latest version where this vulnerability is confirmed fixed. Avoid continued use of version 0.1.0. 2. Input validation: Implement strict validation and sanitization of all user-controlled inputs, especially parameters like baseUrl, to restrict requests to allowed domains or IP ranges. 3. Network segmentation: Restrict the server's ability to make outbound requests to sensitive internal resources by applying network-level controls such as firewall rules or proxy restrictions. 4. Monitoring and logging: Enable detailed logging of outbound requests from the application and monitor for unusual or unauthorized request patterns indicative of SSRF exploitation attempts. 5. Web application firewall (WAF): Deploy or update WAF rules to detect and block SSRF attack patterns targeting the vulnerable endpoint. 6. Incident response readiness: Prepare to respond to potential exploitation attempts by having detection and containment procedures in place. 7. Vendor coordination: Maintain communication with Tencent for updates and security advisories related to WeKnora.