Tencent WeKnora is an LLM-powered framework for deep document understanding and semantic retrieval. Versions 0.2.5 through 0.2.9 contain a critical OS command injection vulnerability (CVE-2026-30861) in the MCP stdio configuration validation component. The application permits unrestricted user registration, allowing any attacker to create an account without authentication. The vulnerability arises because the application attempts to restrict command execution by implementing a whitelist of allowed commands (notably 'npx' and 'uvx') and blacklists for dangerous arguments and environment variables. However, this validation is flawed and can be bypassed using the '-p' flag with 'npx node', enabling attackers to inject arbitrary OS commands. Exploiting this flaw allows execution of commands with the privileges of the WeKnora application, potentially leading to full system compromise, including confidentiality, integrity, and availability impacts. The vulnerability is rated with a CVSS 3.1 base score of 10.0, reflecting its critical nature, network attack vector, low attack complexity, no required privileges, no user interaction, and scope change. The issue was publicly disclosed on March 7, 2026, and patched in version 0.2.10. No known exploits have been reported in the wild yet. This vulnerability exemplifies the risks of improper input validation and command sanitization in software that executes system commands, especially when combined with open user registration.

The impact of CVE-2026-30861 is severe for organizations deploying affected versions of Tencent WeKnora. An attacker can remotely execute arbitrary commands on the host system without authentication, leading to complete system takeover. This compromises confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by enabling destructive actions such as service disruption or ransomware deployment. Since WeKnora is designed for deep document understanding and semantic retrieval, it may be integrated into enterprise document management, research, or knowledge systems, making the data and services critical. The unrestricted user registration lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations could face data breaches, operational downtime, and reputational damage. The critical CVSS score underscores the urgency of remediation. Although no exploits are currently known in the wild, the ease of exploitation and high impact make this a prime target for attackers once public details are widely available.

1. Immediately upgrade Tencent WeKnora to version 0.2.10 or later, where the vulnerability is patched. 2. If upgrading is not immediately possible, restrict network access to the WeKnora application to trusted users only, using firewalls or network segmentation. 3. Implement additional application-layer controls to monitor and block suspicious command execution patterns, especially those involving 'npx' and the '-p' flag. 4. Enforce strong user registration controls, such as CAPTCHA, email verification, or administrator approval, to reduce automated account creation by attackers. 5. Conduct thorough logging and monitoring of command execution and user activities within WeKnora to detect potential exploitation attempts. 6. Review and harden the underlying operating system and container environments hosting WeKnora, applying the principle of least privilege to limit damage from potential compromise. 7. Educate development teams on secure coding practices, particularly proper input validation and command sanitization to prevent similar injection flaws. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts in real time.