Zero Day MonitorZDM

← Back to list

3.1

CVE-2026-39419EXPLOITEDPATCHED

1panel-dev · maxkb

MaxKB: Sandbox Result Validation Bypass via Tool Output Spoofing

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.

Affected Products

Vendor	Product	Versions
1panel-dev	maxkb	< 2.8.0

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f3c8-p474-xwfv(x_refsource_CONFIRM)
https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd065293ede0437f6fa76cf0116591d25(x_refsource_MISC)
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB11h ago

CVE-2026-39419 | 1Panel-dev MaxKB up to 2.7.x Service injection (GHSA-f3c8-p474-xwfv)

→ No new info (linked only)

CVSS 3.13.1 LOW

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.8.0

CWECWE-74, CWE-693, CWE-290

PublishedApr 14, 2026

Last enriched11h agov2

Trending Score39

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39421EXP

MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect

CRITICALCVE-2026-39420EXP

MaxKB: Sandbox escape via LD_PRELOAD bypass

NONECVE-2026-39422EXP

MaxKB has Stored XSS via ChatHeadersMiddleware

NONECVE-2026-39425EXP

MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering

HIGHCVE-2026-39426EXP

MaxKB: Stored XSS via Unsanitized iframe_render Parsing

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, cvssEstimate, activelyExploited, patchAvailable

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Patch Available

Apr 14, 2026

Version History

v2

Last enriched 11h ago

v2Tier C11h ago

Updated severity to HIGH, CVSS estimate to 7.5, marked as actively exploited, and noted that no exploit is available.

severitycvssEstimateactivelyExploitedpatchAvailable

via VulDB

v114h ago

Initial creation