Tencent WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Versions from 0.2.5 to before 0.2.10 contain a critical OS command injection vulnerability (CVE-2026-30861) due to improper neutralization of special elements in the MCP stdio configuration validation process. The application allows unrestricted user registration, enabling any attacker to create an account without authentication. Despite implementing a whitelist restricting allowed commands to 'npx' and 'uvx', and blacklists filtering dangerous arguments and environment variables, the validation logic can be bypassed using the '-p' flag with 'npx node'. This bypass enables attackers to execute arbitrary OS commands with the privileges of the WeKnora application, effectively allowing remote code execution (RCE). The vulnerability affects all installations running versions >=0.2.5 and <0.2.10. The flaw leads to complete system compromise, including potential data theft, service disruption, and lateral movement within networks. Tencent has addressed this issue in version 0.2.10, closing the validation bypass. No public exploits have been reported yet, but the vulnerability's ease of exploitation and impact warrant immediate attention.

The impact of CVE-2026-30861 is severe and multifaceted. Organizations using vulnerable versions of WeKnora face the risk of complete system compromise due to unauthenticated remote code execution. Attackers can execute arbitrary commands, potentially leading to data breaches, unauthorized access to sensitive information, disruption of services, and deployment of malware or ransomware. Since WeKnora is used for deep document understanding and semantic retrieval, compromise could expose confidential documents and intellectual property. The vulnerability's exploitation requires no user interaction or prior privileges, increasing the likelihood of automated attacks and wormable scenarios. The critical CVSS score of 10.0 reflects the high confidentiality, integrity, and availability impacts. Enterprises relying on WeKnora in production environments, especially those processing sensitive or regulated data, are at significant risk until patched.

1. Immediate upgrade to Tencent WeKnora version 0.2.10 or later, where the vulnerability is patched. 2. If immediate upgrade is not feasible, restrict network access to WeKnora services to trusted internal users only, using firewalls or network segmentation. 3. Implement strict monitoring and alerting for unusual command execution or process spawning related to 'npx' or 'uvx' commands within WeKnora environments. 4. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. 5. Enforce least privilege principles on the system user running WeKnora to limit the potential damage of exploitation. 6. Conduct thorough audits of user registration and authentication mechanisms to detect and prevent abuse. 7. Regularly review and update command whitelists and blacklists to cover new bypass techniques. 8. Maintain up-to-date backups and incident response plans to recover quickly from potential compromises.