CVE-2026-42337

Vulnerability Description

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.

Vulnerability Details

Published Date

May 26, 2026

Last Modified

May 26, 2026

CWE ID

CWE-862

Source

NVD

Vendor

1Panel-dev

Product

MaxKB

External References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-2jmj-gwvg-3gp2

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment