Impact
The vulnerability is a server‑side request forgery (CWE‑918) in the tool creation and update endpoints of MaxKB before version 2.10.0. An authenticated user can supply unvalidated downloadCallbackUrl and download_url parameters to cause the server to issue arbitrary requests to any host reachable from the server. Successful exploitation could allow an attacker to reach internal services, exfiltrate data, or perform further attacks against the network.
Affected Systems
The affected product is MaxKB (1Panel-dev) prior to release 2.10.0. Users who hold the default workspace USER role and can invoke the ToolSerializer endpoints can exploit the flaw. The vulnerability exists in the downloadCallbackUrl and download_url parameters used during tool creation and updates.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity, while the EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog. The exploit requires authentication and is limited to users with the default workspace USER role. Because the flaw allows arbitrary outbound connections, an attacker could access internal hosts if the server can reach them, but the attack surface is constrained by the need for valid credentials and the specific API endpoints. The likelihood of exploitation is moderate given the exposure only to authenticated users and absence of known public exploits.
OpenCVE Enrichment