Tencent WeKnora Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Tencent WeKnora versions prior to 0.2.5. This vulnerability allows authenticated users to inject commands and arguments into the MCP stdio settings, which the server then executes as subprocesses. The issue arises from a lack of proper validation and security filtering on the injected values, enabling unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the potential to create or modify files, execute additional payloads, and disrupt services. Additionally, there is a risk of exfiltrating sensitive information by reading environment variables and local files. Depending on the deployment environment, this vulnerability could also lead to privilege escalation or lateral movement within the system.

Reproduction

To reproduce this vulnerability, authenticate via the WeKnora API to obtain a Bearer token. Then, create an MCP service with the transport type set to 'stdio', injecting a command into the stdio configuration that directs the server to execute the command and write the output to a file. After the service is created, invoke the 'test' endpoint for that service, which will trigger the execution of the injected command on the server.

Remediation

Users are advised to update to WeKnora version 0.2.5 or later, where this vulnerability has been patched.