CVE-2026-30860: Critical Vulnerability in Tencent WeKnora

A critical remote code execution (RCE) vulnerability exists in Tencent WeKnora, an LLM-powered framework designed for deep document understanding and semantic retrieval. This vulnerability allows attackers to exploit the application's database query functionality, specifically prior to version 0.2.12.

The vulnerability arises from a failure in the validation system, which does not recursively inspect child nodes within PostgreSQL array expressions and row expressions. As a consequence, attackers can bypass SQL injection protections. By smuggling dangerous PostgreSQL functions within these expressions and chaining them with large object operations, an unauthenticated attacker can achieve arbitrary code execution on the database server with database user privileges.

Given the severity of the CVSS score of 9.9, this vulnerability poses a significant risk to organizations utilizing WeKnora. Organizations should prioritize patching immediately.

The issue has been patched in version 0.2.12; therefore, upgrading to this version or later is essential for mitigating risk.

Vulnerability Details

CVE-2026-30860 has been classified with a CVSS score of 9.9, indicating a critical severity level. The vulnerability allows for remote code execution through a SQL injection bypass, specifically identified as CWE-89. The vulnerability was published on March 7, 2026, and relates to the WeKnora framework by Tencent, which is designed for advanced document processing.

Technical Analysis

The root cause of this vulnerability is the failure of the validation system to adequately inspect child nodes in PostgreSQL expressions. This oversight allows attackers to exploit SQL injection protections. The attack vector is network-based, requiring low complexity for execution with low privileges required. Importantly, no user interaction is necessary for exploitation.

When successfully exploited, the attacker can impact the confidentiality, integrity, and availability of the database, as they can execute arbitrary code with database user privileges.

Risk & Impact Analysis

Risk to organizations includes significant potential data breaches and loss of integrity, as attackers could exploit this vulnerability to execute arbitrary code on the database server. This could lead to unauthorized access to sensitive data and disruption of services. Due to the critical CVSS score, organizations should prioritize patching immediately. The vulnerability is currently not listed in the KEV catalog, indicating a lower level of active exploitation awareness, but the potential impact remains high.

Exploitation Status

Affected Versions

All versions of Tencent WeKnora prior to version 0.2.12 are affected by this vulnerability. Organizations should upgrade to version 0.2.12 or later to mitigate risks.

Mitigation & Remediation

Organizations should apply the patch available in version 0.2.12 of WeKnora. If immediate patching is not possible, organizations should implement robust input validation controls and monitor database activities closely.

Detection Guidance

Detecting potential exploitation attempts may involve monitoring logs for unusual database queries, analyzing application behavior for anomalies, and employing intrusion detection systems to identify malicious activities targeting SQL functions.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-30860 reflects the ongoing challenges faced by organizations using database-driven applications. Ensuring the robustness of input validation and staying up-to-date with security patches is essential for maintaining security posture.

The patterns of exploitation highlight the importance of proactive security measures, including regular security assessments and penetration testing to identify potential vulnerabilities before they can be exploited.

Organizations should consider implementing continuous security testing practices to identify new vulnerabilities and respond effectively to emerging threats.