QwikSec

Security Database

CVE

CWE

Training

CVE-2026-39419

Published: Apr 14, 2026

Modified: Apr 14, 2026

PUBLISHED

CVSS v3.1

3.1

LOW

Description

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.

Vendor	Product	Versions
1Panel-dev	MaxKB	affected `< 2.8.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f3c8-p474-xwfv

x_refsource_CONFIRM

https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd065293ede0437f6fa76cf0116591d25

x_refsource_MISC

https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.