Upstream information
Description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt-based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having critical severity.
| CVSS detail | CNA (GitHub) | National Vulnerability Database |
|---|---|---|
| Base Score | 5.6 | 9.8 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network | Network |
| Attack Complexity | High | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | Low | High |
| Integrity Impact | Low | High |
| Availability Impact | Low | High |
| CVSSv3 Version | 3.1 | 3.1 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
SUSE Timeline for this CVE
CVE page created: Sat Jan 10 06:02:32 2026CVE page last modified: Fri May 8 15:00:21 2026