Description
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly blocked by the sandbox's banned hosts configuration. MaxKB's sandbox uses LD_PRELOAD to hook the connect() function and block connections to banned IPs, but Linux's sendto() with the MSG_FASTOPEN flag can establish TCP connections directly through the kernel without ever calling connect(), completely bypassing the IP validation. Although sendto is listed in the syscall() wrapper, this is ineffective because glibc invokes the kernel syscall directly rather than routing through the hooked syscall() function. This issue has been fixed in version 2.8.0.
Published: 2026-04-14
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of sandbox network protection allowing access to internal services
Action: Apply patch
AI Analysis

Impact

In MaxKB versions 2.7.1 and earlier, an authenticated user with tool‑editing permissions can use the socket.sendto() function with the MSG_FASTOPEN flag to establish TCP connections directly through the kernel, thereby bypassing the sandbox's IP validation hooks. This flaw turns the sandbox protection from a containment mechanism into a bypass path, enabling the user to reach internal services that are otherwise blocked by the banned hosts configuration. The vulnerability is categorized as a Server‑Side Request Forgery type exploit and can compromise confidentiality of internal resources.

Affected Systems

The affected product is MaxKB developed by 1Panel‑dev. Any installations of version 2.7.1 or earlier are susceptible. The fix is available in version 2.8.0 and later.

Risk and Exploitability

The CVSS v3.1 base score for this issue is 5.0, indicating a medium severity. No EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog. Attack requires valid credentials with tool‑editing privileges; a legitimate user can invoke the bypass by executing a crafted sendto() request. Once exploited, the attacker can reach services hidden behind the sandbox, potentially exposing internal data or enabling further lateral movement.

Generated by OpenCVE AI on April 14, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MaxKB to version 2.8.0 or later to apply the patched socket handling logic
  • If an update is not immediately possible, restrict tool‑editing permissions to trusted users only
  • Consider disabling the sandbox or monitoring outbound socket usage for suspicious MSG_FASTOPEN calls

Generated by OpenCVE AI on April 14, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly blocked by the sandbox's banned hosts configuration. MaxKB's sandbox uses LD_PRELOAD to hook the connect() function and block connections to banned IPs, but Linux's sendto() with the MSG_FASTOPEN flag can establish TCP connections directly through the kernel without ever calling connect(), completely bypassing the IP validation. Although sendto is listed in the syscall() wrapper, this is ineffective because glibc invokes the kernel syscall directly rather than routing through the hooked syscall() function. This issue has been fixed in version 2.8.0.
Title MaxKB: SSRF via sandbox network hook bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

1panel Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:54:30.206Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39418

cve-icon Vulnrichment

Updated: 2026-04-14T15:54:24.283Z

cve-icon NVD

Status : Received

Published: 2026-04-14T01:16:04.353

Modified: 2026-04-14T01:16:04.353

Link: CVE-2026-39418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:17Z

Weaknesses