EUVD-2025-16777CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5Description
MaxKB is an open-source AI assistant for enterprise. Prior to version 1.10.8-lts, Sandbox only restricts the execution permissions of binary files in common directories, such as `/bin,/usr/bin`, etc. Therefore, attackers can exploit some files with execution permissions in non blacklisted directories to carry out attacks. Version 1.10.8-lts fixes the issue.
Analysis
MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in common system directories (/bin, /usr/bin, etc.), allowing local attackers with low privileges to execute arbitrary code via executable files in non-blacklisted directories and achieve full system compromise. The vulnerability affects enterprise AI assistant deployments and has a high CVSS score of 8.8 reflecting significant impact potential; exploitation requires local access but no user interaction.
Technical Context
MaxKB is an open-source AI assistant framework designed for enterprise use. The vulnerability stems from CWE-276 (Incorrect Default Permissions), specifically an inadequate sandbox/containment mechanism that relies on directory-based allowlisting rather than comprehensive execution control. The sandbox implementation attempts to restrict binary execution to known dangerous locations, but attackers can bypass this by placing or leveraging existing executable files in directories outside the blacklist (e.g., /opt, /home, /tmp, or application-specific directories). This is a classic case of incomplete security controls where the threat model assumed attacks would only originate from well-known system binary locations. The root cause is insufficient privilege separation and execution boundary enforcement within the MaxKB process sandbox, likely affecting the plugin/extension execution framework or script execution engine commonly used in AI assistant products.
Affected Products
MaxKB versions prior to 1.10.8-lts. Specific affected version ranges are not enumerated in the provided description, but all releases before the fix date should be considered vulnerable. The product is identified as MaxKB (open-source AI assistant for enterprise). Affected deployments include: MaxKB < 1.10.8-lts. Remediated version: MaxKB >= 1.10.8-lts. CPE string would be: cpe:2.3:a:maxkb:maxkb:*:*:*:*:*:*:*:* (versions before 1.10.8-lts). No vendor advisory URL was provided in the input data; refer to the official MaxKB GitHub repository (https://github.com/1Panel-dev/MaxKB) or MaxKB official security advisories for patch details.
Remediation
Immediate action: Upgrade MaxKB to version 1.10.8-lts or later, which implements proper sandbox restrictions beyond directory-based blacklists. Mitigation steps for organizations unable to immediately patch: (1) Restrict local access to the MaxKB application to trusted users only; implement strong access controls and disable shell execution features if available; (2) Run MaxKB in a restricted container or VM with minimal privileges and limited file system access outside necessary directories; (3) Implement system-level execution restrictions using AppArmor, SELinux, or similar mandatory access control frameworks to prevent binary execution across the filesystem; (4) Monitor process execution logs for unusual activity originating from non-standard directories; (5) Audit and remove unnecessary executable files from application directories; (6) Apply principle of least privilege—run MaxKB processes with minimal required permissions. Patch availability: Version 1.10.8-lts addresses this issue. Obtain patches from the official MaxKB repository releases page.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today