Tencent WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, it suffers from a vulnerability classified as CWE-706 (Use of Incorrectly-Resolved Name or Reference) due to an ambiguous naming convention in the MCP client component. The MCP client uses a naming pattern (mcp_{service}_{tool}) to register tools. An attacker controlling a remote MCP server can exploit this by registering a malicious tool with a name that collides with an existing legitimate tool, such as 'tavily_extract'. This overwrites the legitimate tool's registration, effectively hijacking the tool execution flow within the LLM framework. The attacker can then redirect the execution flow of the LLM, enabling indirect prompt injection attacks. Through this, sensitive system prompts and contextual information can be exfiltrated, and additional tools may be executed with the privileges of the user running the framework. Exploitation requires network access to the MCP server and some user interaction, with the attacker needing limited privileges. The vulnerability impacts confidentiality (high), integrity (low), and availability (low). The issue was patched in WeKnora version 0.3.0, which corrects the naming collision problem and prevents unauthorized tool overwriting. There are no known exploits in the wild as of the publication date.

The vulnerability allows attackers to hijack tool execution within the WeKnora framework, potentially leading to unauthorized disclosure of sensitive prompts and context data, which can contain proprietary or confidential information. This compromises confidentiality significantly. The attacker can also execute arbitrary tools with the user's privileges, risking integrity and availability of the system, though these impacts are assessed as lower. Organizations relying on WeKnora for document understanding and semantic retrieval may face data leakage, manipulation of LLM workflows, and disruption of services. Since the attack requires network access to the MCP server and user interaction, the risk is somewhat mitigated but still notable in environments where MCP servers are exposed or untrusted. The medium CVSS score (5.9) reflects this balance of impact and exploitation complexity. Failure to patch could lead to targeted attacks against organizations using vulnerable versions, especially those handling sensitive documents or intellectual property.

1. Upgrade WeKnora to version 0.3.0 or later immediately to apply the official patch that resolves the naming collision vulnerability. 2. Restrict MCP server connections to trusted and authenticated sources only; implement network segmentation and firewall rules to limit exposure. 3. Implement strict validation and whitelisting of tool names and registrations within the MCP client to prevent unauthorized overwriting. 4. Monitor MCP client logs for unusual tool registration activities or name collisions that could indicate attempted exploitation. 5. Educate users to avoid interacting with untrusted MCP servers or tools, reducing the risk of user-driven exploitation. 6. Employ runtime monitoring and anomaly detection on LLM execution flows to detect unexpected tool invocations or prompt injections. 7. Regularly audit and review configurations related to MCP client and server communications to ensure adherence to security best practices.