Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in 2.9.1.
AnalysisAI
Server-Side Request Forgery in MaxKB before 2.9.1 allows authenticated users to pivot into internal network infrastructure by supplying arbitrary URLs to the work_flow_template import endpoint. The server fetches attacker-controlled URLs without validation or internal IP filtering, enabling reconnaissance of internal services, cloud metadata endpoints, or other resources unreachable from the public internet. The CVSS 4.0 score of 6.3 is driven primarily by high subsequent-system confidentiality impact (SC:H), reflecting the lateral reach into backend infrastructure that SSRF typically enables. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
MaxKB is an open-source, enterprise-focused AI assistant developed by 1Panel-dev (CPE: cpe:2.3:a:1panel-dev:maxkb:*:*:*:*:*:*:*:*). The vulnerability resides in the workflow template import feature, specifically in the handling of a 'downloadUrl' parameter. When a user initiates a template import, the application performs a server-side HTTP fetch of the supplied URL. CWE-918 (Server-Side Request Forgery) describes this root cause class: the server acts as an unintended proxy because it does not validate the destination URL against an allowlist or block reserved/internal IP ranges (RFC 1918, loopback, link-local). This allows the attacker to weaponize the server's network position - effectively making outbound requests that the attacker cannot make directly - targeting cloud instance metadata services (e.g., 169.254.169.254), internal APIs, or adjacent microservices. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N) captures this asymmetry: low direct impact on the vulnerable component itself (VC:L), but high confidentiality impact on subsequent/reachable systems (SC:H).
RemediationAI
The primary remediation is to upgrade MaxKB to version 2.9.1 or later, which introduces URL validation and internal IP filtering for the work_flow_template downloadUrl parameter. The vendor advisory at https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-x9g5-j56j-4mfj should be consulted for release details. For deployments where immediate upgrading is not feasible, consider the following specific compensating controls: restrict access to the workflow template import functionality via role-based access control to only highly trusted users, reducing exposure if the feature cannot be disabled outright; deploy an egress proxy or firewall rule that blocks the MaxKB application server from making outbound HTTP/S requests to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) ranges - this directly neutralizes the primary impact path while potentially breaking legitimate external template fetches; and on cloud-hosted instances, enforce IMDSv2 (AWS) or equivalent metadata service protections to prevent credential theft via metadata endpoint SSRF. Note that egress filtering may break legitimate use of the import feature if it normally fetches templates from external sources.
MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in
Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role
OS command injection in MaxKB (1Panel-dev's open-source enterprise AI assistant) before 2.10.0-lts lets an authenticated
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript thr
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all
Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal netwo
OS command injection in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to execute arbitrary
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malic
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malic
Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to
Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31985