MaxKB, an open‑source AI assistant, stores user passwords using basic MD5 hashes without a salt in releases prior to 2.9.1. MD5 is a fast, one‑way hash algorithm that is now considered weak; without a salt, the hashes can be reversed with rainbow tables or GPU‑accelerated brute‑force tools such as hashcat in a matter of minutes. An attacker who obtains the password database can quickly recover all user credentials, enabling full access to the system, impersonation of privileged users, or further lateral movement. The vulnerability directly exposes stored credentials and compromises confidentiality of user data.

The vulnerability affects the 1Panel-dev MaxKB product in all versions released before 2.9.1. No specific patch level is listed, but the security advisory states that any deployment of MaxKB older than version 2.9.1 is susceptible. The affected product is a web‑based enterprise AI assistant, and the issue concerns the internal credential storage mechanism used by the application.

The CVSS score is 6.9, indicating a moderate severity with reasonable impact potential. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog. The attack path requires an adversary to acquire the password database, which may be achieved through successful exploitation of other vulnerabilities, privileged access, or a breach of database credentials. Once the database is compromised, password cracking is trivial, enabling credential theft and potential escalation to full system compromise. The likelihood of exploitation remains uncertain without EPSS data, but the existence of a fast hash function and the widespread use of unsalted MD5 make the vulnerability valuable to attackers.