Remote Code Execution Vulnerability in MaxKB AI Assistant from 1Panel
CVE-2026-39417

4.6MEDIUM

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
14 April 2026

What is CVE-2026-39417?

MaxKB, an open-source AI assistant for enterprise, is vulnerable to a remote code execution issue due to an incomplete fix in versions prior to 2.8.0. The vulnerability allows attackers to bypass existing security measures and inject malicious MCP node configurations via a crafted JSON payload. Specifically, the incomplete restriction on loading MCP configurations means that an attacker can manipulate input and potentially execute arbitrary commands when workflows are triggered. This flaw poses a significant risk for organizations using MaxKB for their operations. Users are advised to upgrade to version 2.8.0 or later to mitigate this vulnerability.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...
x_refsource_CONFIRM
https://github.com/1Panel-dev/MaxKB/commit/50e96002ee5dca...
x_refsource_MISC
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.