CVE-2026-30247
📋 TL;DR
WeKnora versions before 0.2.12 have an SSRF vulnerability in the 'Import document via URL' feature that allows attackers to bypass URL validation through HTTP redirects. This enables access to internal services including Docker-specific addresses like host.docker.internal. All users running vulnerable versions are affected.
💻 Affected Systems
- WeKnora
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to internal cloud metadata, Docker host services, or other internal systems leading to data exfiltration, lateral movement, or service disruption.
Likely Case
Attacker probes internal networks, accesses internal APIs, or retrieves cloud metadata to gather information for further attacks.
If Mitigated
Limited to external resource access if proper network segmentation and egress filtering are in place.
🎯 Exploit Status
SSRF via redirect bypass is a well-known technique. The vulnerability requires the import feature to be enabled and accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.12
Vendor Advisory: https://github.com/Tencent/WeKnora/security/advisories/GHSA-595m-wc8g-6qgc
Restart Required: Yes
Instructions:
1. Update WeKnora to version 0.2.12 or later. 2. Restart the WeKnora service. 3. Verify the fix by testing the import feature with redirect URLs.
🔧 Temporary Workarounds
Disable URL Import Feature
allTemporarily disable the vulnerable 'Import document via URL' feature until patching is possible.
# Configuration depends on deployment method. Check WeKnora documentation for feature flags.
Network Egress Filtering
linuxImplement strict egress filtering to block WeKnora server from accessing internal networks.
# Example iptables rule to block internal access
# iptables -A OUTPUT -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate WeKnora from internal services.
- Deploy a web application firewall (WAF) with SSRF protection rules.
🔍 How to Verify
Check if Vulnerable:
Test the import feature with a URL that redirects to an internal address (e.g., http://redirector.example.com -> http://169.254.169.254). If the server processes the redirect target, it's vulnerable.Check Version:
Check WeKnora version in application logs or via API endpoint if available.Verify Fix Applied:
After updating to 0.2.12+, repeat the same test. The server should reject redirects to blocked addresses.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from WeKnora to internal IPs
- Multiple redirect responses in import logs
- Requests to cloud metadata endpoints (169.254.169.254)
Network Indicators:
- WeKnora server making HTTP requests to internal network segments
- Traffic to Docker host addresses from WeKnora
SIEM Query:
source="weknora" AND (dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) OR url CONTAINS "host.docker.internal")