Tencent WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. In versions before 0.2.12, its 'Import document via URL' feature is vulnerable to Server-Side Request Forgery (SSRF) due to improper handling of HTTP redirects. The backend attempts to validate URLs by blocking access to private IP ranges, loopback addresses, reserved hostnames, and cloud metadata endpoints to prevent SSRF attacks. However, it does not validate the targets of HTTP redirects, allowing an attacker to craft a redirect chain that ultimately points to internal network resources. This bypasses all URL validation controls. Furthermore, Docker-specific internal addresses like host.docker.internal are not blocked, which can be leveraged in containerized environments to access internal services. Exploiting this vulnerability enables an unauthenticated attacker to make the server perform arbitrary HTTP requests within its internal network, potentially exposing sensitive information from internal services that are otherwise inaccessible externally. The vulnerability is tracked as CWE-918 (SSRF) and has a CVSS 3.1 score of 5.9, indicating medium severity with a high impact on confidentiality but no impact on integrity or availability. The vulnerability was publicly disclosed on March 7, 2026, and patched in WeKnora version 0.2.12. No known active exploits have been reported to date.

The primary impact of this SSRF vulnerability is unauthorized disclosure of sensitive information from internal network services that are normally inaccessible from outside the server. Attackers can leverage redirect chains to bypass URL validation and access internal endpoints, including cloud metadata services or Docker internal addresses, which may contain credentials, configuration data, or other sensitive information. This can lead to further attacks such as privilege escalation, lateral movement, or data exfiltration within the victim's environment. Since the vulnerability does not affect integrity or availability, it does not allow attackers to modify data or disrupt services directly. However, the confidentiality breach can have significant consequences, especially in environments where WeKnora is deployed to process sensitive documents or is integrated with critical internal systems. The lack of authentication requirement and no need for user interaction increases the risk of automated exploitation attempts once the vulnerability is known. Organizations using vulnerable versions of WeKnora may face increased risk of internal network reconnaissance and data leakage.

Organizations should immediately upgrade Tencent WeKnora to version 0.2.12 or later, where this SSRF vulnerability has been patched. In addition to upgrading, it is recommended to implement the following specific mitigations: 1) Enhance URL validation logic to not only validate the initial URL but also all redirect targets, ensuring they do not point to private IP ranges, loopback addresses, reserved hostnames, cloud metadata endpoints, or Docker-specific internal addresses such as host.docker.internal. 2) Employ network-level controls such as firewall rules or egress filtering to restrict the server's ability to make outbound HTTP requests to internal or sensitive IP ranges. 3) Monitor application logs for unusual outbound HTTP requests or redirect chains that could indicate exploitation attempts. 4) Use runtime application self-protection (RASP) or web application firewalls (WAFs) configured to detect and block SSRF patterns, especially those involving redirect chains. 5) Conduct regular security assessments and penetration testing focusing on SSRF vectors, including redirect handling. 6) Isolate the WeKnora service in a segmented network zone with minimal access to sensitive internal resources to limit potential impact. These targeted mitigations complement the patch and reduce the attack surface against SSRF exploitation.