Unauthorized Access Vulnerability in MaxKB AI Assistant by 1Panel
CVE-2026-44847

7.5HIGH

Key Information:

Vendor: 1panel-dev
Status: Maxkb
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44847?

The MaxKB AI assistant, utilized for enterprise tasks, is afflicted by a vulnerability that allows unauthorized access to its webhook trigger endpoint. Prior to version 2.9.0, the '/api/trigger/v1/webhook/{trigger_id}' endpoint is open to any user without authentication. Due to a flaw in the WebhookAuth class, which indiscriminately returns (None, {}), the Django REST Framework mistakenly recognizes this as successful authentication. This oversight means that any attacker who possesses a valid trigger ID can exploit the webhook triggers to execute potentially harmful tasks without authorization. The issue has been addressed in version 2.9.0, making it critical for users to update their systems to ensure security.

Affected Version(s)

MaxKB < 2.9.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/G...

x_refsource_CONFIRM

https://github.com/1Panel-dev/MaxKB/issues/5213

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44847 Data

JSON

1panel-dev

What is CVE-2026-44847?

Affected Version(s)

References

CVSS V3.1

Timeline