AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-67q9-58vj-32qx: WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection

mediumvulnerabilityLLM-Specific

security

Source: GitHub Advisory DatabaseMarch 6, 2026CVE-2026-30856

Summary

WeKnora has a vulnerability where a malicious MCP server (a remote tool provider that integrates with AI clients) can hijack legitimate tools by exploiting how tool names are generated. An attacker registers a fake tool with the same name as a real one (like `tavily_extract`), which overwrites the legitimate version in the tool registry (the list of available tools). The attacker can then trick the LLM into executing their malicious tool and leak sensitive information like system prompts through prompt injection (hiding instructions in tool outputs that the AI treats as commands).

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Prompt Injection

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Affected Vendors

Affected Packages

github.com/Tencent/WeKnora@<= 0.2.14

Related Issues

high

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

Similar attackEmbrace The Red

medium

CVE-2024-45989: Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Act

First tracked: March 6, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 85%