Description
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server‑side request forgery (CWE‑918) in the tool creation and update endpoints of MaxKB before version 2.10.0. An authenticated user can supply unvalidated downloadCallbackUrl and download_url parameters to cause the server to issue arbitrary requests to any host reachable from the server. Successful exploitation could allow an attacker to reach internal services, exfiltrate data, or perform further attacks against the network.

Affected Systems

The affected product is MaxKB (1Panel-dev) prior to release 2.10.0. Users who hold the default workspace USER role and can invoke the ToolSerializer endpoints can exploit the flaw. The vulnerability exists in the downloadCallbackUrl and download_url parameters used during tool creation and updates.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, while the EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog. The exploit requires authentication and is limited to users with the default workspace USER role. Because the flaw allows arbitrary outbound connections, an attacker could access internal hosts if the server can reach them, but the attack surface is constrained by the need for valid credentials and the specific API endpoints. The likelihood of exploitation is moderate given the exposure only to authenticated users and absence of known public exploits.

Generated by OpenCVE AI on June 25, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaxKB to version 2.10.0 or later to remove the vulnerability.
  • Restrict the default workspace USER role from accessing the tool creation and update endpoints, or enforce stricter access controls that prevent unauthorized use of downloadCallbackUrl and download_url.
  • If upgrading immediately is not possible, implement server‑side validation or whitelisting of the downloadCallbackUrl and download_url parameters to ensure only trusted destinations are contacted.

Generated by OpenCVE AI on June 25, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared 1panel
1panel maxkb
Vendors & Products 1panel
1panel maxkb

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
Title MaxKB < 2.10.0 - Server-Side Request Forgery via downloadCallbackUrl and download_url Parameters
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:24.163Z

Reserved: 2026-06-23T01:22:22.572Z

Link: CVE-2026-56779

cve-icon Vulnrichment

Updated: 2026-06-30T03:27:21.337Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:15:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)