CVE-2026-39419

LOW SEVERITY

CVSS Score & Metrics

Base Score

3.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N                                    

Vulnerability Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.

Vulnerability Details

Published Date

April 14, 2026

Last Modified

April 14, 2026

CWE ID

CWE-74

Source

NVD

Vendor

1Panel-dev

Product

MaxKB

External References

https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd065293ede0437f6fa76cf0116591d25
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f3c8-p474-xwfv

CVE-2026-39419

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment