Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.
AnalysisAI
Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (chat/api/oss/get_url) to cross-application data access by authenticated low-privilege users who supply arbitrary application_id values in the URL path. Because the endpoint performs no ownership validation against the requesting session, any authenticated user can retrieve OSS file URLs scoped to applications they do not own, violating multi-tenant isolation. No public exploit code exists and the issue is not listed in CISA KEV; a vendor-released patch is available in version 2.8.1.
Technical ContextAI
MaxKB is an open-source enterprise AI knowledge-base assistant maintained by 1Panel-dev (CPE: cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*). The vulnerable component is the OSS (Object Storage Service) file service endpoint at chat/api/oss/get_url, which accepts an application_id path parameter to scope which application's stored files are referenced. CWE-862 (Missing Authorization) describes the root cause: the server processes the application_id and returns the associated file URL without first verifying that the authenticated caller has entitlement to that application. This is structurally an Insecure Direct Object Reference (IDOR) pattern - user-controlled input directly selects a server-side resource, and the authorization gate that should enforce ownership is absent.
RemediationAI
The primary and recommended remediation is upgrading to MaxKB 2.8.1, which is the vendor-released patch that introduces ownership validation for the application_id parameter on the chat/api/oss/get_url endpoint. Full upgrade guidance is available in the vendor advisory at https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-2jmj-gwvg-3gp2. If an immediate upgrade is not operationally feasible, restrict network-layer access to the chat/api/oss/get_url path at the reverse proxy or API gateway to only authenticated users belonging to specific, known application contexts - note this may partially disrupt legitimate chat-initiated file retrieval workflows and does not eliminate the flaw. Additionally, audit API access logs for chat/api/oss/get_url requests where the application_id in the path does not correspond to the authenticated user's registered applications, as a detection measure to identify prior or ongoing exploitation attempts.
MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in
Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role
OS command injection in MaxKB (1Panel-dev's open-source enterprise AI assistant) before 2.10.0-lts lets an authenticated
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript thr
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all
Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal netwo
Server-Side Request Forgery in MaxKB before 2.9.1 allows authenticated users to pivot into internal network infrastructu
OS command injection in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to execute arbitrary
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malic
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malic
Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31988