CVE-2026-39419

EPSS 0.05%
Veröffentlicht 14.04.2026 01:03:40
Zuletzt bearbeitet 20.04.2026 17:32:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Maxkb ≫ Maxkb SwEdition- Version < 2.8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.143

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0

Release Notes

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f3c8-p474-xwfv

Vendor Advisory

https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd065293ede0437f6fa76cf0116591d25

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-39419

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39419

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39419

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39419