Login Sign Up

CVE-2026-22687

5.6 MEDIUM
SQL Injection Authentication Bypass

📋 TL;DR

WeKnora versions before 0.2.5 contain a SQL injection vulnerability in the Agent service's database query tool. Attackers can use prompt-based techniques to bypass query restrictions and access sensitive data from the server and database. This affects all WeKnora deployments with Agent service enabled.

💻 Affected Systems

Products:
  • WeKnora
Versions: All versions before 0.2.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires Agent service to be enabled, which is a configurable feature.

📦 What is this software?

Weknora by Tencent

View all CVEs affecting Weknora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to exfiltration of all sensitive data, including credentials, personal information, and proprietary documents.

🟠

Likely Case

Unauthorized access to sensitive database information, potentially including user data, document metadata, and system configuration.

🟢

If Mitigated

Limited or no data exposure if proper input validation and query restrictions are enforced.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to the Agent service interface and knowledge of prompt injection techniques to bypass SQL query restrictions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.5

Vendor Advisory: https://github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv

Restart Required: Yes

Instructions:

1. Backup your WeKnora configuration and data. 2. Update to version 0.2.5 using your package manager or from GitHub releases. 3. Restart the WeKnora service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Agent Service

all

Temporarily disable the vulnerable Agent service component until patching is possible.

# Edit WeKnora configuration to set agent.enabled = false
# Restart WeKnora service

Network Access Restriction

linux

Restrict network access to WeKnora Agent service endpoints using firewall rules.

# Example: iptables -A INPUT -p tcp --dport [WeKnora_port] -s [trusted_ips] -j ACCEPT
# iptables -A INPUT -p tcp --dport [WeKnora_port] -j DROP

🧯 If You Can't Patch

  • Disable the Agent service entirely in configuration
  • Implement strict network segmentation and access controls to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check WeKnora version and verify Agent service is enabled in configuration.

Check Version:

weknora --version or check package manager

Verify Fix Applied:

Confirm version is 0.2.5 or later and test that prompt-based SQL injection attempts are properly blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database query patterns from Agent service
  • SQL error messages in logs
  • Multiple failed query attempts with unusual parameters

Network Indicators:

  • Unusual traffic to Agent service endpoints
  • Large data transfers from database ports

SIEM Query:

source="weknora.logs" AND ("SQL error" OR "query failed" OR "unauthorized query")

📊 Metadata

CVE ID: CVE-2026-22687
CVSS v3 Score: 5.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
EPSS Score: 0.07% exploit probability (20.6th percentile)
Published: January 10, 2026
Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22687, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)