CVE-2026-22687: WeKnora vulnerable to SQL Injection

January 9, 2026 (updated January 22, 2026)

After WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database.

References

github.com/Tencent/WeKnora
github.com/Tencent/WeKnora/commit/da55707022c252dd2c20f8e18145b2d899ee06a1
github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv
github.com/advisories/GHSA-pcwc-3fw3-8cqv
nvd.nist.gov/vuln/detail/CVE-2026-22687
pkg.go.dev/vuln/GO-2026-4293

Code Behaviors & Features

Detect and mitigate CVE-2026-22687 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →