Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0.
Published: 2026-04-14
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The vulnerability exists in MaxKB’s ToolExecutor component, where an authenticated user with workspace privileges can exploit Python’s ctypes library to invoke raw system calls. Because the LD_PRELOAD-based sandbox.so module, which intercepts critical functions such as execve, system, connect, and open, does not block the pkey_mprotect system call, an attacker can bypass the sandbox’s protection to allocate executable memory and execute malicious code. This flaw, classified under CWE‑693 and CWE‑94, enables arbitrary code execution, potentially allowing full network exfiltration and container compromise.

Affected Systems

Affected products are 1Panel‑dev’s MaxKB versions 2.7.1 and earlier. The issue has been resolved in version 2.8.0 and later deployments.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity vulnerability. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authentication with workspace privileges, which limits the attacker pool to trusted users, but once compromised the attacker can achieve complete system takeover, making it a high‑priority risk for environments exposing MaxKB to external or internal collaborators.

Generated by OpenCVE AI on April 14, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxKB to version 2.8.0 or later
  • If an upgrade is not possible, restrict workspace privileges so authenticated users cannot access the ToolExecutor component
  • Verify that the LD_PRELOAD sandbox.so remains active and monitor for attempts to call ctypes or pkey_mprotect

Generated by OpenCVE AI on April 14, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0.
Title MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect
Weaknesses CWE-693
CWE-94
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

1panel Maxkb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:28:08.560Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39421

cve-icon Vulnrichment

Updated: 2026-04-14T15:36:25.905Z

cve-icon NVD

Status : Received

Published: 2026-04-14T01:16:04.690

Modified: 2026-04-14T01:16:04.690

Link: CVE-2026-39421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:12Z

Weaknesses