CVE-2026-42336 1Panel-dev CVE debrief

Who should care

Organizations running MaxKB 2.8.0 or earlier for enterprise AI assistant functionality; security teams responsible for application security and SSRF prevention; network administrators managing internal service exposure

Technical summary

The vulnerability is a server-side request forgery (SSRF) bypass in MaxKB's OSS file service URL fetch functionality. The root cause is a time-of-check to time-of-use (TOCTOU) race condition where DNS resolution occurs during URL validation but may resolve differently when the actual HTTP request is executed. This inconsistency allows an attacker to supply a URL that passes initial validation (e.g., resolving to a public IP) but resolves to an internal address when the request is made. The CVSS 4.0 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, with high impact to system confidentiality and low impact to system integrity. The vulnerability affects MaxKB 2.8.0 and prior; version 2.8.1 contains the fix.

Defensive priority

medium

Recommended defensive actions

• Upgrade MaxKB to version 2.8.1 or later to remediate this vulnerability
• Review and audit internal network access controls for services that may be reachable from MaxKB application servers
• Implement network segmentation to limit exposure of internal services to application hosts
• Consider implementing additional SSRF protections such as URL parsing normalization and DNS resolution caching with consistent validation logic
• Monitor application logs for anomalous outbound requests from MaxKB instances

Evidence notes

Vulnerability disclosed via GitHub Security Advisory GHSA-6m4p-9wwc-4q5q. Fix confirmed in MaxKB 2.8.1.

Official resources