MaxKB, an open-source AI assistant for enterprise environments, stored user passwords using unsalted MD5 hashing prior to version 2.9.1. MD5 is cryptographically broken and unsuitable for password storage; the absence of salting renders password hashes vulnerable to precomputed rainbow table attacks and efficient GPU-accelerated brute force recovery. An attacker with access to the password database—whethe [truncated]
MaxKB versions prior to 2.9.0 contain an authentication bypass vulnerability in the webhook trigger endpoint. The WebhookAuth class unconditionally returns authentication success, allowing unauthenticated attackers with knowledge of a valid trigger ID to invoke webhook triggers and execute bound tasks. The CVSS 3.1 score of 7.5 (HIGH) reflects network attackability, low complexity, no privileges required, [truncated]
A broken access control vulnerability in MaxKB 2.8.0 and prior allows authenticated attackers to access OSS file service URLs belonging to other applications. The `chat/api/oss/get_url` endpoint accepts an `application_id` from the URL path without verifying that the requesting user owns or has permission to access that application. This permits horizontal privilege escalation where an attacker with valid [truncated]
A server-side request forgery (SSRF) vulnerability exists in MaxKB versions 2.8.0 and prior. The flaw resides in the OSS file service URL fetch functionality, where inconsistent DNS resolution between validation and actual request execution creates a TOCTOU (time-of-check to time-of-use) race condition. An attacker with low privileges can exploit this inconsistency to bypass URL validation and access inte [truncated]
CVE-2026-42335 is a server-side request forgery (SSRF) vulnerability in MaxKB, an open-source AI assistant for enterprise environments. The vulnerability affects versions 2.8.0 and prior, with a fix released in version 2.8.1. The flaw resides in the OSS file service URL fetch endpoint (`chat/api/oss/get_url`), where inconsistent URL parsing between the `urlparse` validation function and the `requests` HTT [truncated]
