PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42337 1Panel-dev CVE debrief

A broken access control vulnerability in MaxKB 2.8.0 and prior allows authenticated attackers to access OSS file service URLs belonging to other applications. The `chat/api/oss/get_url` endpoint accepts an `application_id` from the URL path without verifying that the requesting user owns or has permission to access that application. This permits horizontal privilege escalation where an attacker with valid credentials can perform file operations under another application's policies. The vulnerability is classified as CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 5.3 (Medium). The issue was fixed in MaxKB 2.8.1. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
1Panel-dev
Product
MaxKB
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Organizations running MaxKB 2.8.0 or earlier in multi-tenant or multi-application environments where isolation between application data is required. Security teams responsible for AI assistant platforms and developers maintaining MaxKB deployments.

Technical summary

The vulnerability exists in the `chat/api/oss/get_url` endpoint where the `application_id` parameter from the URL path is used without ownership validation. An authenticated attacker can supply arbitrary `application_id` values to retrieve or manipulate OSS file URLs under policies configured for other applications. This represents a missing authorization check (CWE-862) in a multi-tenant file service interface. The fix in 2.8.1 adds proper authorization validation to ensure users can only access resources belonging to their own applications.

Defensive priority

medium

Recommended defensive actions

  • Upgrade MaxKB to version 2.8.1 or later to remediate the broken access control vulnerability.
  • Review application access logs for unauthorized `application_id` usage in requests to `/chat/api/oss/get_url` prior to patching.
  • Implement additional authorization checks at the application layer to validate ownership of `application_id` parameters in multi-tenant deployments.
  • Monitor for anomalous file access patterns across application boundaries in MaxKB deployments.

Evidence notes

Vulnerability description and fix version confirmed via GitHub Security Advisory. CVSS vector and CWE classification sourced from NVD record. No KEV listing present.

Official resources

2026-05-26