WeKnora MCP Stdio Command Injection RCE (CVE-2026-30861)

Executive Summary

What: A high-severity low-privilege remote code execution vulnerability (CVE-2026-30861, CVSS 8.8) exists in WeKnora, Tencent's LLM-powered document understanding framework, through command injection in its Model Context Protocol (MCP) stdio configuration (NVD). The CVSS vector specifies Privileges Required: Low (PR:L), meaning a registered account is needed; however, WeKnora permits unrestricted self-registration without email verification, making account creation trivial (GHSA-r55h-3rwj-hcmg). An attacker who registers an account can bypass command whitelisting to execute arbitrary operating system commands with full application privileges (GHSA-r55h-3rwj-hcmg).

So What: This vulnerability illustrates an emerging pattern in MCP implementation security. The stdio transport — designed to connect AI agents to external tools — becomes a direct vector for server-side command execution when input validation is incomplete. Organisations deploying WeKnora versions 0.2.5 through 0.2.9 with network-accessible instances are exposed to full server compromise requiring only a low-privilege account (PR:L), which is trivially obtainable through unrestricted self-registration (GHSA-r55h-3rwj-hcmg).

Now What: Upgrade to WeKnora 0.2.10 immediately. The patch removes the stdio transport entirely rather than attempting to improve input validation, effectively eliminating the attack surface (Patch commit 57d6fea). Audit all MCP-enabled tools in your environment for similar command injection patterns.

Risk Rating

Affected Products

Am I Affected?

• Check if WeKnora is deployed in your environment (it is a Go application with a Vue.js frontend)
• Verify the installed version: any version from 0.2.5 through 0.2.9 is vulnerable (GHSA-r55h-3rwj-hcmg)
• Review whether the MCP stdio interface is network-accessible
• Check if user self-registration is enabled without email verification or approval workflows

Abstract

CVE-2026-30861 is a high-severity command injection vulnerability in Tencent's WeKnora LLM document understanding framework. The flaw resides in the MCP stdio configuration validation layer, which implements a whitelist for allowed commands (npx, uvx) and a blacklist for dangerous arguments but fails to block the -p flag (NVD). When combined with npx node, the -p flag instructs Node.js to evaluate and print an arbitrary JavaScript expression, enabling full remote code execution (GHSA-r55h-3rwj-hcmg). Exploitation requires only a registered user account, which can be obtained through unrestricted self-registration without email verification (GHSA-r55h-3rwj-hcmg). The fix in version 0.2.10 removes the stdio transport entirely rather than attempting to improve input validation — a practical response to the fundamental difficulty of securing whitelist-based command validation for subprocess spawning (Patch commit 57d6fea).

Key Findings

1. Critical command injection via MCP stdio — WeKnora's command whitelist permits npx but fails to block the -p flag in subsequent arguments, enabling npx node -p "<arbitrary JS>" to achieve full RCE (GHSA-r55h-3rwj-hcmg).

2. Trivial exploitation path — Account registration requires no email verification or approval workflow, allowing any network-adjacent attacker to obtain credentials and access the MCP stdio configuration interface (GHSA-r55h-3rwj-hcmg).

3. Patch removes entire stdio transport — Rather than improving the whitelist/blacklist approach, the version 0.2.10 patch completely removes the stdio transport option, deleting all related UI components and helper functions (Patch commit 57d6fea).

4. Scope: Disputed — NIST assesses scope as Unchanged (S:U), rating this vulnerability at CVSS 8.8 HIGH. The CNA (GitHub) assesses scope as Changed (S:C), rating it at 9.9 CRITICAL. This advisory adopts the NVD assessment (NVD, GHSA-r55h-3rwj-hcmg).

5. MCP implementation pattern risk (RAXE assessment) — Taken alongside previously documented MCP Server Git path traversal issues, this finding suggests a recurring pattern of security vulnerabilities in MCP implementations across multiple frameworks. This is an analytical assessment based on observed incidents, not a vendor-confirmed systemic issue.

Attack Flow

┌──────────────────┐
│  1. REGISTRATION  │  Attacker registers account on WeKnora instance
│  No email verif.  │  (unrestricted self-registration)
└────────┬─────────┘  (GHSA-r55h-3rwj-hcmg)
         │
         ▼
┌──────────────────┐
│  2. AUTH & ACCESS  │  Attacker authenticates and accesses
│  MCP stdio config │  MCP service configuration interface
└────────┬─────────┘
         │
         ▼
┌──────────────────┐
│  3. PAYLOAD CRAFT │  command: "npx"
│  Whitelist bypass │  args: ["node", "-p", "<JS expression>"]
└────────┬─────────┘  (GHSA-r55h-3rwj-hcmg)
         │
         ▼
┌──────────────────┐
│  4. VALIDATION    │  "npx" passes command whitelist
│  BYPASS           │  "-p" not in argument blacklist
│                   │  No semantic analysis of arg chains
└────────┬─────────┘  (GHSA-r55h-3rwj-hcmg)
         │
         ▼
┌──────────────────┐
│  5. EXECUTION     │  Node.js evaluates JS expression
│  RCE achieved     │  Runs with full app privileges
└────────┬─────────┘  (NVD)
         │
         ▼
┌──────────────────┐
│  6. IMPACT        │  Arbitrary file read/write
│  Full compromise  │  Credential exfiltration
│                   │  Lateral movement
└──────────────────┘  (NVD)

Technical Details

Vulnerability Mechanics

WeKnora implements the Model Context Protocol (MCP) to connect its LLM-powered document understanding system to external tools. The stdio transport allows users to configure a subprocess command and arguments via the MCP service configuration interface (GHSA-r55h-3rwj-hcmg).

The validation logic (ValidateStdioConfig() → ValidateStdioArgs()) applies two layers of input checking (GHSA-r55h-3rwj-hcmg):

1. Command whitelist — Only npx and uvx are permitted as the primary command
2. Argument blacklist — A DangerousArgPatterns regex blocks certain dangerous arguments

However, the blacklist does not include the -p flag. When combined with npx node, this flag instructs Node.js to evaluate and print a JavaScript expression, effectively granting arbitrary code execution (GHSA-r55h-3rwj-hcmg).

Exploitation Mechanism

The attack leverages a semantic gap in argument validation. The validator checks individual arguments against a pattern list but does not assess the combined meaning of argument sequences. The chain npx → node → -p → <expression> is semantically equivalent to arbitrary code execution, but each individual argument passes validation (GHSA-r55h-3rwj-hcmg).

An example payload structure (from the GHSA advisory):

{
    "command": "npx",
    "args": ["node", "-p", "require('fs').writeFileSync('/tmp/pwned.txt', 'payload')"]
}

This payload passes all validation checks and achieves file write. More destructive payloads using child_process modules would achieve full shell command execution (GHSA-r55h-3rwj-hcmg).

CVSS Vector Analysis

The CVSS:3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD) reflects:

• Attack Vector: Network — exploitable remotely
• Attack Complexity: Low — no special conditions required
• Privileges Required: Low — only a registered account (trivially obtainable)
• User Interaction: None — no victim action needed
• Scope: Unchanged — NIST assesses impact as contained to the vulnerable component (CNA assesses as Changed)
• Impact: High across Confidentiality, Integrity, and Availability

Weakness Classification

CWE-78: Improper Neutralisation of Special Elements used in an OS Command ('OS Command Injection') (NVD).

Patch Analysis

The vendor's fix in commit 57d6fea takes a defence-in-depth approach by completely removing the attack surface (Patch commit 57d6fea):

• Removed the "stdio" radio button from the MCP service configuration UI
• Removed all stdio configuration form fields (command, arguments, environment variables)
• Updated the TypeScript transport type from 'sse' | 'http-streamable' | 'stdio' to 'sse' | 'http-streamable'
• Deleted helper functions: addArg(), removeArg(), addEnvVar(), removeEnvVar(), updateEnvVarKey()
• Added code comment: "Stdio transport is disabled for security reasons"

The effect is to eliminate the attack surface entirely. Whitelist-based command validation for stdio subprocess spawning is fundamentally difficult to secure — the combinatorial space of dangerous argument sequences across multiple runtimes (Node.js, Python, etc.) makes blacklisting impractical (Patch commit 57d6fea).

Confidence & Validation

Assessment Confidence: High

Detection Signatures (Formal Rules)

Sigma Rule 1 — npx node -p Command Injection (Process Creation)

Detects process creation patterns consistent with CVE-2026-30861 exploitation, where npx spawns node with the -p flag to evaluate arbitrary JavaScript (GHSA-r55h-3rwj-hcmg).

title: WeKnora MCP Stdio Command Injection via npx node -p
id: raxe-2026-018-sigma-01
status: experimental
description: >
  Detects execution of 'npx node -p' patterns indicative of CVE-2026-30861
  exploitation in WeKnora MCP stdio configuration. The -p flag instructs
  Node.js to evaluate and print a JavaScript expression, bypassing the
  application's command whitelist validation (GHSA-r55h-3rwj-hcmg).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30861
  - https://github.com/Tencent/WeKnora/security/advisories/GHSA-r55h-3rwj-hcmg
author: RAXE Labs (M. Hirani)
date: 2026-03-08
tags:
  - attack.execution
  - attack.t1059.007
  - cve.2026.30861
logsource:
  category: process_creation
  product: linux
detection:
  selection_npx_node_p:
    ParentImage|endswith:
      - '/weknora'
      - '/weknora-server'
    CommandLine|contains|all:
      - 'npx'
      - 'node'
      - ' -p '
  selection_npx_eval_flags:
    ParentImage|endswith:
      - '/weknora'
      - '/weknora-server'
    CommandLine|contains|all:
      - 'npx'
      - 'node'
    CommandLine|contains:
      - ' -e '
      - '--eval'
      - '--require'
      - '-r '
  condition: selection_npx_node_p or selection_npx_eval_flags
level: high
falsepositives:
  - Legitimate use of npx node -p for debugging within WeKnora (unlikely in production)
  - This is a high-confidence heuristic for exploitation attempts, not a confirmed-compromise indicator

Sigma Rule 2 — Suspicious Child Process from WeKnora (Post-Exploitation) [Hunting/Telemetry]

Limitations: This rule matches benign activity. npm scripts, MCP tool integrations, and health-check scripts routinely spawn shell and Python processes from Node.js parent processes. This rule is intended for threat hunting and telemetry enrichment, not standalone alerting. Analysts should correlate hits with Sigma Rule 1 or other indicators before escalating.

Detects suspicious child processes spawned by the WeKnora application after successful command injection (GHSA-r55h-3rwj-hcmg).

title: Suspicious Child Process Spawned by WeKnora Application
id: raxe-2026-018-sigma-02
status: experimental
description: >
  Detects suspicious child processes spawned by the WeKnora application,
  which may indicate successful exploitation of CVE-2026-30861. After achieving
  command injection via MCP stdio, attackers are expected to spawn interactive
  shells or execute reconnaissance commands (GHSA-r55h-3rwj-hcmg).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30861
  - https://github.com/Tencent/WeKnora/security/advisories/GHSA-r55h-3rwj-hcmg
author: RAXE Labs (M. Hirani)
date: 2026-03-08
tags:
  - attack.execution
  - attack.t1059
  - cve.2026.30861
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/weknora'
      - '/weknora-server'
      - '/node'
      - '/npx'
  selection_suspicious_child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/zsh'
      - '/curl'
      - '/wget'
      - '/python'
      - '/python3'
      - '/nc'
      - '/ncat'
  condition: selection_parent and selection_suspicious_child
level: medium
falsepositives:
  - WeKnora health check scripts that invoke shell utilities
  - Legitimate MCP tool integrations that spawn subprocesses
  - npm scripts and Node.js tooling that routinely spawn shell processes

Sigma Rule 3 — MCP Stdio Configuration API Request [Hunting/Telemetry]

Limitations: On unpatched versions (< 0.2.10), legitimate stdio configuration requests will match selection_stdio_config. The rule requires both selections to fire, but legitimate tool setup that happens to include -p or -e flags for valid reasons would also match. Treat matches as leads for investigation, not confirmed compromise. On patched versions (>= 0.2.10), any stdio configuration attempt is inherently suspicious since the feature has been removed.

Detects HTTP requests to the MCP service configuration endpoint containing stdio transport parameters (GHSA-r55h-3rwj-hcmg).

title: WeKnora MCP Stdio Configuration API Request
id: raxe-2026-018-sigma-03
status: experimental
description: >
  Detects HTTP requests containing MCP stdio configuration parameters
  submitted to a WeKnora instance. Any request attempting to configure
  stdio transport on versions >= 0.2.10 is suspicious (feature removed).
  On unpatched versions, requests with -p, -e, or --eval in the args
  array are indicators of exploitation (GHSA-r55h-3rwj-hcmg).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30861
  - https://github.com/Tencent/WeKnora/security/advisories/GHSA-r55h-3rwj-hcmg
author: RAXE Labs (M. Hirani)
date: 2026-03-08
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.30861
logsource:
  category: webserver
  product: any
detection:
  selection_stdio_config:
    cs-uri-query|contains: 'stdio'
    cs-body|contains:
      - 'stdio_config'
      - '"transport":"stdio"'
      - '"command":"npx"'
  selection_injection_indicators:
    cs-body|contains:
      - '"-p"'
      - '"-e"'
      - '"--eval"'
      - '"--require"'
  condition: selection_stdio_config and selection_injection_indicators
level: medium
falsepositives:
  - Legitimate MCP stdio configuration on unpatched versions that includes flagged arguments for valid reasons
  - This is a hunting heuristic; matches require analyst investigation to distinguish exploitation from legitimate configuration

YARA Rule — Vulnerable MCP Stdio Configuration

Identifies WeKnora source code or configuration files containing the vulnerable MCP stdio transport implementation (Patch commit 57d6fea).

rule WeKnora_MCP_Stdio_Vulnerable_Config
{
    meta:
        description = "Detects WeKnora MCP stdio configuration patterns indicating an unpatched instance vulnerable to CVE-2026-30861"
        author = "RAXE Labs (M. Hirani)"
        date = "2026-03-08"
        reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-30861"
        reference2 = "https://github.com/Tencent/WeKnora/security/advisories/GHSA-r55h-3rwj-hcmg"
        severity = "high"
        finding_id = "CVE-2026-30861"

    strings:
        $stdio_transport = "stdio" ascii wide
        $mcp_config_1 = "stdio_config" ascii wide
        $mcp_config_2 = "mcpServiceDialog" ascii wide
        $cmd_npx = "npx" ascii wide
        $cmd_uvx = "uvx" ascii wide
        $addarg_func = "addArg" ascii wide
        $removearg_func = "removeArg" ascii wide

    condition:
        $stdio_transport and $mcp_config_1 and
        ($cmd_npx or $cmd_uvx) and
        ($addarg_func or $removearg_func)
}

Detection & Mitigation

Immediate Actions

1. Upgrade to WeKnora 0.2.10 — This is the primary remediation. The patch removes the stdio transport entirely, eliminating the attack surface (GHSA-r55h-3rwj-hcmg).

2. Restrict network access — If an immediate upgrade is not possible, restrict network access to the WeKnora instance using firewall rules or network segmentation. The MCP stdio configuration interface should not be internet-facing.

3. Restrict user self-registration — Implement email verification or manual approval workflows for user account creation to raise the barrier for attackers seeking the low-privilege account required for exploitation (GHSA-r55h-3rwj-hcmg).

Detection Guidance

• Process monitoring — Deploy Sigma Rules 1-2 on hosts running WeKnora to detect npx node -p execution patterns and suspicious child processes. Requires endpoint telemetry (Sysmon, auditd, or osquery).
• Web application firewall — Configure WAF rules to inspect HTTP request bodies for stdio_config parameters containing dangerous flags (-p, -e, --eval, --require).
• Log review — Audit WeKnora application logs for MCP service configuration changes, particularly those involving stdio transport.

Strategic Recommendations

• Audit all MCP-enabled tools — Review every MCP implementation in the environment for similar command injection vectors. The stdio transport pattern is not unique to WeKnora.
• Establish MCP security review process — Require security review of all MCP tool integrations before deployment, with specific attention to subprocess spawning and command validation.
• Monitor MCP ecosystem advisories — Track security advisories across the MCP ecosystem. This finding, alongside previously documented MCP path traversal vulnerabilities, suggests a recurring pattern worth monitoring.

Indicators of Compromise

Strategic Context

The MCP stdio command injection in WeKnora fits what RAXE Labs assesses to be a broader pattern of security vulnerabilities emerging as the AI agent ecosystem matures. Several trends converge to make this finding strategically significant:

MCP adoption is growing (RAXE assessment). The Model Context Protocol, initially developed by Anthropic, is gaining traction as an interface for connecting AI agents to external tools and data sources. As adoption grows, so does the attack surface. MCP implementations that spawn subprocesses via stdio transport are particularly high-risk, as they bridge the gap between web application input and operating system command execution.

Whitelist/blacklist validation is insufficient for command execution (RAXE assessment). The WeKnora vulnerability demonstrates that even well-intentioned input validation fails when applied to the combinatorial space of command-line argument semantics. The patch's removal of the stdio transport entirely — rather than attempting to improve the blacklist — illustrates the practical difficulty of securing this pattern.

AI framework security is an emerging discipline (RAXE assessment). Traditional application security testing may not assess MCP tool configurations, subprocess spawning patterns, or agent-to-tool trust boundaries. Organisations deploying AI frameworks need to extend their security review processes to cover these novel attack surfaces.

Regulatory attention is increasing (RAXE assessment). The EU AI Act and comparable frameworks are driving requirements for AI system security assessments. Vulnerabilities like CVE-2026-30861 — where an AI framework enables full server compromise — may increasingly fall under regulatory scrutiny.

References

1. CVE-2026-30861 — NVD entry, CVSS 8.8 HIGH (NVD)
2. GHSA-r55h-3rwj-hcmg — GitHub Security Advisory, vendor-confirmed (GHSA-r55h-3rwj-hcmg)