Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
WeKnora: Unpatched Redirects Allow Access to Internal Services
GHSA-595m-wc8g-6qgc
CVE-2026-30247
GHSA-595m-wc8g-6qgc
Summary
A security weakness in WeKnora's document import feature allows hackers to trick the system into accessing internal services it shouldn't. This could lead to unauthorized access, data breaches, or malicious actions. Update to version 0.2.12 or later to fix the issue.
What to do
- Update github.com tencent to version 0.2.12.
- Update tencent github.com/tencent/weknora to version 0.2.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | tencent | <= 0.2.11 | 0.2.12 |
| tencent | github.com/tencent/weknora | <= 0.2.12 | 0.2.12 |
| tencent | weknora | <= 0.2.12 | – |
Original title
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Se...
Original description
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery (SSRF) through HTTP redirects. While the backend implements comprehensive URL validation (blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints), it fails to validate redirect targets. An attacker can bypass all protections by using a redirect chain, forcing the server to access internal services. Additionally, Docker-specific internal addresses like host.docker.internal are not blocked. This issue has been patched in version 0.2.12.
ghsa CVSS3.1
5.9
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026