CVE-2026-30856: WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection
(updated )
A vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming convention in the MCP client (mcp_{service}_{tool}), an attacker can register a malicious tool that overwrites a legitimate one (e.g., tavily_extract). This enables the attacker to redirect LLM execution flow, exfiltrate system prompts, context, and potentially execute other tools with the user’s privileges.
References
- forum.cursor.com/t/mcp-tools-name-collision-causing-cross-service-tool-call-failures/70946
- github.com/Tencent/WeKnora
- github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx
- github.com/advisories/GHSA-67q9-58vj-32qx
- modelcontextprotocol-security.io/ttps/tool-poisoning/tool-name-conflict
- nvd.nist.gov/vuln/detail/CVE-2026-30856
- www.elastic.co/security-labs/mcp-tools-attack-defense-recommendations
Code Behaviors & Features
Detect and mitigate CVE-2026-30856 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →