CVE-2026-39419

| EUVD-2026-22191 LOW
2026-04-14 GitHub_M
Authentication Bypass Python
3.1
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
patch_available
Apr 16, 2026 - 05:29 EUVD
2.8.0
Analysis Generated
Apr 14, 2026 - 02:08 vuln.today

DescriptionNVD

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.

AnalysisAI

MaxKB versions 2.7.1 and below allow authenticated users to spoof tool execution results by exploiting Python frame introspection to extract the wrapper's UUID from bytecode, then writing forged output directly to file descriptor 1 to bypass stdout redirection and terminate the wrapper process before legitimate output is generated, causing the service to trust the attacker-controlled response. This integrity bypass requires prior authentication and local/network access but enables attackers to manipulate AI tool results without detection. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-39419 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy