CVE-2026-22687

Published: Jan 10, 2026

Modified: Mar 10, 2026

PUBLISHED

CVSS v3.1

5.6

MEDIUM

Description

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.

Vendor	Product	Versions
Tencent	WeKnora	affected `< 0.2.5`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv

x_refsource_CONFIRM

https://github.com/Tencent/WeKnora/commit/da55707022c252dd2c20f8e18145b2d899ee06a1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-22687

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References