CVE-2026-22688: WeKnora has Command Injection in MCP stdio test

January 9, 2026 (updated January 22, 2026)

Remote Code Execution (RCE): Arbitrary command execution enables file creation/modification, execution of additional payloads, and service disruption
Information Disclosure: Sensitive data exfiltration through reading environment variables, configuration files, keys, tokens, and local files
Privilege Escalation/Lateral Movement (Environment-Dependent): Impact may escalate based on container mounts, network policies, and internal service access permissions
Cross-Tenant Boundary Impact: Execution occurs in a shared backend runtime; depending on deployment configuration, impact may extend beyond tenant boundaries (exact scope is uncertain and varies by deployment setup)

References

Code Behaviors & Features

Detect and mitigate CVE-2026-22688 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →