AI Middleware Vulnerability Disclosed

The vulnerability in WeKnora, an open-source Retrieval-Augmented Generation (RAG) framework from Tencent, stems from a failure to properly sanitize inputs for the Model Context Protocol (MCP) stdio transport. Attackers can bypass the command whitelist by using the `-p` flag with `npx node`, allowing arbitrary commands to run with the application's privileges. This specific vector highlights the risks of integrating agentic frameworks that can execute system-level commands. As a RAG framework, WeKnora is designed to feed external, unstructured data—like news feeds or document repositories—into language models for real-time analysis. A command injection flaw in this pipeline is critical; it could allow an attacker to poison the data feed ingested by trading models, manipulate market analysis, or exfiltrate proprietary quantitative research that the framework is processing. This type of indirect prompt injection is identified as a top vulnerability for LLMs by OWASP. This incident underscores the supply chain risk in deploying third-party AI infrastructure, a concern JPMorgan's CTO recently highlighted after a review found security vulnerabilities in AI systems tripled since mass adoption began. The average cost of a data breach in the financial sector reached $5.56 million in 2025, with AI-driven attacks accounting for roughly one in six incidents. Peer institutions are moving aggressively to deploy similar agent-based systems, increasing the urgency for robust security frameworks. Goldman Sachs has spent the last six months co-developing autonomous AI agents with Anthropic, targeting back-office functions like trade accounting, compliance, and real-time trade surveillance. JPMorgan Chase already has over 300 AI use cases in production and has built its own proprietary platform, OmniAI, to standardize security and controls for AI/ML applications.