Remote Code Execution Vulnerability in MaxKB AI Assistant by 1Panel
CVE-2026-39420

6.3MEDIUM

Key Information:

Vendor

1panel-dev

Status
Maxkb
Vendor
CVE Published:
14 April 2026

What is CVE-2026-39420?

The MaxKB AI assistant, used by enterprises, exhibit a loophole in its sandbox mechanism in versions 2.7.1 and below. This vulnerability allows an authenticated user with execution privileges to escape sandbox protections due to improper handling of environment variables. An attacker can utilize the env command to execute subprocesses without sandbox constraints, leading to potential unrestricted execution of code or network access. The issue has been addressed in version 2.8.0 to secure the environment adequately.

Affected Version(s)

MaxKB < 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...
x_refsource_CONFIRM
https://github.com/1Panel-dev/MaxKB/commit/2d17b08e6b0603...
x_refsource_MISC
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.