Description
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0.
Published: 2026-04-14
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution after sandbox escape via LD_PRELOAD removal
Action: Immediate patch
AI Analysis

Impact

MaxKB implements a sandbox that injects a shared object through LD_PRELOAD to monitor critical libc calls used by untrusted Python code executed via its Tool Debug API. In versions up to and including 2.7.1 the sandbox permits the /usr/bin/env utility for sandboxed users, and the env -i option clears all environment variables, including LD_PRELOAD. An authenticated user with tool execution privileges can therefore run env -i python to drop the sandbox hooks before the subprocess starts, giving the Python process unrestricted access to the host for file and network operations. This results in a remote code execution vulnerability that allows an attacker to execute arbitrary code and access network resources from within the MaxKB instance. The flaw is manifested as a misuse of a trusted component (CWE‑693) and an OS command‑introduction vector (CWE‑78).

Affected Systems

The affected product is the open‑source AI assistant MaxKB developed by 1Panel‑dev. Any deployment using version 2.7.1 or earlier is vulnerable; the issue was patched in release 2.8.0.

Risk and Exploitability

The CVSS v3 score of 6.3 indicates a moderate-to-high severity. Exploitation requires the attacker to already have a privileged account that can invoke the Tool Debug API, so the risk is confined to compromised MaxKB instances. EPSS data is unavailable, but the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector is local, through authenticated tool execution; post‑exploitation the attacker can launch arbitrary code or network connections from the host. Accordingly, organizations should treat this as a risk that can be mitigated by patching or by restricting the ability to execute env within the sandbox.

Generated by OpenCVE AI on April 14, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MaxKB to version 2.8.0 or later to restore proper sandbox enforcement.
  • If an upgrade is not immediately possible, deny the sandboxed user the ability to execute /usr/bin/env by removing it from the allowed executable list or by replacing env with a wrapper that blocks the -i option.
  • Restrict tool execution privileges so that only trusted administrators can invoke the API that spawns subprocesses.
  • Monitor logs for unexpected use of env –i or other process creations from sandboxed users to detect exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0.
Title MaxKB: Sandbox escape via LD_PRELOAD bypass
Weaknesses CWE-693
CWE-78
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

1panel Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T00:13:01.189Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-14T01:16:04.530

Modified: 2026-04-14T01:16:04.530

Link: CVE-2026-39420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:13Z

Weaknesses