Skip to main content

MaxKB EUVDEUVD-2026-42924

| CVE-2026-54149 HIGH
OS Command Injection (CWE-78)
2026-07-10 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable web app, low complexity, but requires an authenticated account to import/reference the tool (PR:L); stdio command execution yields full host C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 17:01 EUVD
Analysis Generated
Jul 10, 2026 - 16:20 vuln.today

DescriptionCVE.org

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not consistently validate MCP transport type, allowing an authenticated user to import a .tool file containing stdio transport with malicious commands and trigger the configuration through an AI Chat node so MultiServerMCPClient executes arbitrary system commands. This issue is fixed in version 2.10.0-lts.

AnalysisAI

OS command injection in MaxKB (1Panel-dev's open-source enterprise AI assistant) before 2.10.0-lts lets an authenticated user achieve arbitrary command execution on the host by importing a crafted .tool file that declares an MCP stdio transport and triggering it through an AI Chat node. Because the tool-import path (apps/tools/serializers/tool.py) and the MCP referencing path (base_chat_step.py) fail to consistently validate the MCP transport type, the MultiServerMCPClient spawns the attacker's stdio command locally. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to MaxKB with low-privilege account
Delivery
Import crafted .tool with stdio MCP transport
Exploit
Reference tool in AI Chat node
Execution
MultiServerMCPClient spawns stdio subprocess
Impact
Execute arbitrary commands as service user

Vulnerability AssessmentAI

Exploitation Requires an authenticated MaxKB account (PR:L) with permission to import a .tool file and to create/edit an application flow that references it via the MCP referencing mode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8) indicates network-reachable, low-complexity exploitation requiring only low-privileged authentication and no user interaction, with full confidentiality/integrity/availability impact - consistent with arbitrary command execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or registers) a low-privileged MaxKB account crafts a .tool file whose MCP configuration specifies a stdio transport with a malicious command (e.g., a reverse shell), imports it, and wires it into an AI Chat node. When the node executes, MultiServerMCPClient launches the stdio subprocess on the MaxKB host, giving the attacker arbitrary command execution as the service account. …
Remediation Vendor-released patch: upgrade to MaxKB 2.10.0-lts, which enforces MCP transport-type validation (see GHSA-4pr3-9xhm-98x5 and the release notes at https://github.com/1Panel-dev/MaxKB/releases/tag/v2.10.0-lts). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify MaxKB deployments and verify affected versions (<2.10.0-lts); restrict tool file import permissions to system administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Maxkb

View all
CVE-2025-48950 HIGH POC
8.8 Jun 03

MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in

CVE-2026-56779 MEDIUM POC
5.3 Jun 25

Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role

CVE-2026-39423 MEDIUM
6.9 Apr 14

Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to

CVE-2026-39422 MEDIUM
6.9 Apr 14

Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript thr

CVE-2026-45413 MEDIUM
6.9 May 26

MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all

CVE-2026-42335 MEDIUM
6.3 May 26

Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal netwo

CVE-2026-45412 MEDIUM
6.3 May 26

Server-Side Request Forgery in MaxKB before 2.9.1 allows authenticated users to pivot into internal network infrastructu

CVE-2026-6108 LOW POC
2.1 Apr 12

OS command injection in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to execute arbitrary

CVE-2025-15632 LOW POC
2.0 Apr 13

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malic

CVE-2026-6106 LOW POC
2.0 Apr 11

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malic

CVE-2026-42337 MEDIUM
5.3 May 26

Broken access control in MaxKB 2.8.0 and earlier exposes the OSS file service URL fetch API (`chat/api/oss/get_url`) to

CVE-2026-39425 MEDIUM
5.1 Apr 14

Stored Cross-Site Scripting in MaxKB 2.7.1 and below allows authenticated users to inject arbitrary JavaScript into the

Share

EUVD-2026-42924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy