Tencent WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Versions prior to 0.3.0 suffer from a vulnerability classified as CWE-706 (Use of Incorrectly-Resolved Name or Reference) due to an ambiguous naming convention in the MCP client, which uses the pattern mcp_{service}_{tool} for tool registration. This ambiguity allows a malicious remote MCP server to register a tool with a name colliding with legitimate tools (e.g., tavily_extract), effectively overwriting them. This indirect prompt injection enables the attacker to hijack the LLM execution flow, exfiltrate system prompts and context data, and potentially execute other tools with the privileges of the user running the MCP client. The attack requires network access to the MCP server, low privileges, and user interaction, making exploitation moderately difficult but feasible. The vulnerability impacts confidentiality, integrity, and availability to varying degrees, with the highest impact on confidentiality due to potential data exfiltration. Tencent addressed this issue in WeKnora version 0.3.0 by fixing the naming collision and improving tool registration validation.

The vulnerability allows attackers to hijack tool execution within the WeKnora framework, leading to unauthorized access to sensitive system prompts and context, which can contain confidential information. This compromises confidentiality significantly. The attacker can also manipulate the execution flow, potentially causing integrity issues by executing unintended tools or commands. Availability impact is lower but present, as malicious tool execution could disrupt normal operations. Organizations relying on WeKnora for document understanding and semantic retrieval may face data breaches, intellectual property theft, and operational disruptions. Since the attack requires network access and user interaction, the risk is somewhat contained but still significant in environments where WeKnora is deployed in multi-tenant or exposed network scenarios.

1. Upgrade all WeKnora deployments to version 0.3.0 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of tool names during MCP client registration to prevent name collisions. 3. Restrict network access to MCP servers to trusted entities only, minimizing exposure to malicious remote servers. 4. Monitor MCP tool registration logs for suspicious or unexpected tool names that could indicate attempted exploitation. 5. Employ network segmentation and zero-trust principles around systems running WeKnora to limit lateral movement if compromised. 6. Educate users and administrators about the risks of interacting with untrusted MCP servers and tools. 7. Conduct regular security audits and penetration testing focused on LLM frameworks and their integration points to detect similar vulnerabilities early.