CVE-2026-44847 1Panel-dev CVE debrief

Who should care

Organizations running MaxKB versions prior to 2.9.0, particularly those exposing webhook endpoints to untrusted networks or using webhook triggers for security-sensitive operations.

Technical summary

The vulnerability exists in the WebhookAuth authentication class used by the /api/trigger/v1/webhook/{trigger_id} endpoint. The class returns (None, {}) unconditionally, which Django REST Framework interprets as successful authentication. While per-trigger token verification exists as an optional feature, there is no backend enforcement requiring token validation. This architectural flaw permits any unauthenticated attacker who can discover or guess a valid trigger ID to invoke webhook triggers and execute their associated tasks. The fix in version 2.9.0 addresses this by properly enforcing authentication requirements.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade MaxKB to version 2.9.0 or later
• Review webhook trigger access logs for unauthorized invocations
• Implement network-level access controls for webhook endpoints if immediate patching is not feasible
• Audit bound tasks for unauthorized execution or data modification
• Consider rotating any secrets or tokens associated with webhook triggers

Evidence notes

Authentication bypass confirmed via GitHub Security Advisory GHSA-r3j3-j58q-rjpp. CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function) identified. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Official resources