Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path (loading MCP config from the database). The else branch, responsible for loading mcp_servers directly from user-supplied JSON remains completely unpatched. Since mcp_source is an optional field (required=False), an attacker can simply omit it or set it to any non-referencing value to bypass the fix. By calling the workflow creation API directly with a crafted JSON payload, an attacker can inject a complete MCP node configuration with stdio transport, arbitrary command, and args — achieving RCE when the workflow is triggered via chat. This issue has been fixed in version 2.8.0.
Published: 2026-04-14
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary command payloads into the MCP node configuration by crafting a JSON payload when creating a workflow. This leads to remote code execution on the MaxKB server when the workflow is triggered, potentially compromising confidentiality, integrity, and availability. The flaw resides in an unpatched else branch that loads mcp_servers from user‑supplied data, an instance of OS Command Injection (CWE‑78) and Improper Input Validation (CWE‑20).

Affected Systems

The affected product is MaxKB, an open‑source AI assistant developed by 1Panel‑dev. Version 2.7.1 and all earlier releases are vulnerable. The issue is present in the MCP node of the workflow engine; later releases, such as 2.8.0, incorporate the fix.

Risk and Exploitability

The CVSS score is 4.6, which classifies the risk as medium. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the workflow creation API, so the attacker would need legitimate API access or the ability to inject the crafted JSON into the chat interface. Successful exploitation results in full code execution on the host, posing a severe threat to the entire system.

Generated by OpenCVE AI on April 14, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxKB to version 2.8.0 or later
  • Limit exposure of the workflow creation API to authenticated users only
  • Monitor workflow activity logs for anomalous command injection patterns

Generated by OpenCVE AI on April 14, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxkb
Maxkb maxkb
CPEs cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*
Vendors & Products Maxkb
Maxkb maxkb

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path (loading MCP config from the database). The else branch, responsible for loading mcp_servers directly from user-supplied JSON remains completely unpatched. Since mcp_source is an optional field (required=False), an attacker can simply omit it or set it to any non-referencing value to bypass the fix. By calling the workflow creation API directly with a crafted JSON payload, an attacker can inject a complete MCP node configuration with stdio transport, arbitrary command, and args — achieving RCE when the workflow is triggered via chat. This issue has been fixed in version 2.8.0.
Title MaxKB: RCE via MCP stdio command injection in workflow engine
Weaknesses CWE-20
CWE-78
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

1panel Maxkb
Maxkb Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:34:07.454Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39417

cve-icon Vulnrichment

Updated: 2026-04-14T13:34:00.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T00:16:07.193

Modified: 2026-04-20T17:36:38.510

Link: CVE-2026-39417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:34Z

Weaknesses