Execution Permission Flaw in MaxKB Open-Source AI Assistant
CVE-2025-48950

5.8MEDIUM

Key Information:

Vendor: 1panel-dev
Status: Maxkb
Vendor: CVE Published:; 3 June 2025

What is CVE-2025-48950?

The MaxKB open-source AI assistant for enterprise has a significant execution permission flaw. Prior to version 1.10.8-lts, the Sandbox only implements restrictions on the execution of binary files located in common directories such as /bin and /usr/bin. This fails to account for executable files in other non-blacklisted directories, leaving the system exposed to potential attacks. Attackers may exploit this oversight to execute malicious code, compromising the integrity and security of the application. Upgrading to version 1.10.8-lts addresses this vulnerability and enhances overall security.

Affected Version(s)

MaxKB < 1.10.8-lts

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...

x_refsource_CONFIRM

https://github.com/1Panel-dev/MaxKB/pull/3127

x_refsource_MISC

https://github.com/1Panel-dev/MaxKB/commit/187e9c1e4ea1eb...

x_refsource_MISC

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
May 28, 2025

1panel-dev

What is CVE-2025-48950?

Affected Version(s)

References

CVSS V4

Timeline