Sandbox Bypass in MaxKB AI Assistant by 1Panel
CVE-2026-39419

3.1LOW

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
14 April 2026

What is CVE-2026-39419?

The MaxKB AI assistant is vulnerable to a sandbox result validation bypass in versions 2.7.1 and earlier. This vulnerability allows an authenticated user to exploit Python frame introspection to manipulate the output of the tool. By accessing the bytecode constants to read the UUID and writing a forged result directly to file descriptor 1, attackers can bypass the standard output redirection. The attack can be executed by terminating the wrapper using sys.exit(0) before legitimate output is printed, leading the MaxKB service to trust the falsified result as authentic. This issue has been resolved in version 2.8.0.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...
x_refsource_CONFIRM
https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd06529...
x_refsource_MISC
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
x_refsource_MISC

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.