PatchSiren cyber security CVE debrief
CVE-2026-45413 1Panel-dev CVE debrief
MaxKB, an open-source AI assistant for enterprise environments, stored user passwords using unsalted MD5 hashing prior to version 2.9.1. MD5 is cryptographically broken and unsuitable for password storage; the absence of salting renders password hashes vulnerable to precomputed rainbow table attacks and efficient GPU-accelerated brute force recovery. An attacker with access to the password database—whether through database breach, backup exposure, or insider threat—can trivially recover plaintext credentials. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) indicates local attack vector with high confidentiality impact, reflecting that hash compromise typically requires local database access rather than remote exploitation. The vulnerability is classified under CWE-328 (Use of Weak Hash) and was remediated in MaxKB 2.9.1. Organizations should prioritize identifying all MaxKB deployments running versions prior to 2.9.1, force password resets for all user accounts upon upgrade, and audit access logs for indicators of database compromise.
- Vendor
- 1Panel-dev
- Product
- MaxKB
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations operating MaxKB AI assistant platforms; security teams responsible for credential storage implementations; compliance officers evaluating password storage against regulatory requirements (NIST 800-63B, PCI-DSS); incident responders investigating potential credential database breaches
Technical summary
MaxKB versions prior to 2.9.1 store user passwords using unsalted MD5 hashing. MD5's cryptographic weaknesses combined with lack of salting enable efficient password recovery through rainbow table lookups or GPU-accelerated brute force attacks using tools such as hashcat. Attackers with database access can recover plaintext credentials without knowledge of per-user salts. The vulnerability is fixed in version 2.9.1.
Defensive priority
high
Recommended defensive actions
- Inventory all MaxKB deployments and upgrade to version 2.9.1 or later immediately
- Force password resets for all user accounts following upgrade to invalidate potentially compromised hashes
- Audit database access logs and backup locations for unauthorized access or exposure
- Implement monitoring for anomalous authentication patterns that may indicate credential abuse
- Review and strengthen database access controls to prevent future hash exfiltration
- Consider implementing additional authentication factors to mitigate impact of any recovered credentials
Evidence notes
Vulnerability description and remediation version (2.9.1) sourced from official CVE record. CWE-328 classification and CVSS 4.0 vector confirmed via NVD source data. GitHub Security Advisory GHSA-2m4c-mcq5-q8xq cited as primary reference.
Official resources
-
CVE-2026-45413 CVE record
CVE.org
-
CVE-2026-45413 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26