CVE-2026-42335 1Panel-dev CVE debrief

Who should care

Organizations running MaxKB versions prior to 2.8.1 in production environments, particularly those with MaxKB deployed in networks with access to sensitive internal services, cloud metadata endpoints, or infrastructure APIs. Security teams responsible for AI/ML platform security and developers maintaining MaxKB deployments should prioritize this patch.

Technical summary

The vulnerability stems from a parsing differential between Python's `urlparse` module and the `requests` library when handling URLs. Attackers can craft URLs that pass `urlparse` validation but are interpreted differently by `requests`, enabling access to internal IP addresses, localhost, or other restricted destinations. The affected endpoint `/chat/api/oss/get_url` is designed to fetch remote file URLs for OSS (Object Storage Service) operations, making it a high-value target for SSRF exploitation. The CVSS 4.0 scoring reflects significant system confidentiality impact (SC:H) with limited integrity impact (SI:L), consistent with information disclosure capabilities typical of SSRF attacks.

Defensive priority

medium

Recommended defensive actions

• Upgrade MaxKB to version 2.8.1 or later to remediate the SSRF vulnerability
• Review and restrict network access for MaxKB deployments to limit exposure of internal services
• Implement additional SSRF protections such as URL canonicalization and allowlist-based validation independent of the HTTP client
• Monitor application logs for suspicious URL fetch requests to the `/chat/api/oss/get_url` endpoint
• Conduct security review of other URL-fetching functionality in MaxKB for similar parsing inconsistencies

Evidence notes

Vulnerability description sourced from NVD record and GitHub Security Advisory. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N. CWE-918 classification confirmed via weakness data. Fix version 2.8.1 explicitly stated in advisory.

Official resources