CVE-2026-30861: WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation

A critical unauthenticated remote code execution (RCE) vulnerability exists in the MCP stdio configuration validation introduced in version 2.0.5.

The application allows unrestricted user registration, meaning any attacker can create an account and exploit the command injection flaw. Despite implementing a whitelist for allowed commands (npx, uvx) and blacklists for dangerous arguments and environment variables, the validation can be bypassed using the -p flag with npx node. This allows any attacker to execute arbitrary commands with the application’s privileges, leading to complete system compromise.

The vulnerability remained unfixed across multiple releases (2.0.6-2.0.9) before being silently patched in version 2.0.10, without a published CVE, potentially leaving customers unaware.