CVE-2026-39417
Received Received - Intake
Remote Code Execution in MaxKB MCP Node Workflow Engine

Publication date: 2026-04-14

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path (loading MCP config from the database). The else branch, responsible for loading mcp_servers directly from user-supplied JSON remains completely unpatched. Since mcp_source is an optional field (required=False), an attacker can simply omit it or set it to any non-referencing value to bypass the fix. By calling the workflow creation API directly with a crafted JSON payload, an attacker can inject a complete MCP node configuration with stdio transport, arbitrary command, and args β€” achieving RCE when the workflow is triggered via chat. This issue has been fixed in version 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39417
EUVD
EUVD-2026-22162
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
maxkb maxkb to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-39417 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-39417 is a Remote Code Execution (RCE) vulnerability in the MCP node of the MaxKB workflow engine affecting versions 2.7.1 and below. It stems from an incomplete fix for a previous vulnerability (CVE-2025-53928). The issue arises because MaxKB restricts loading MCP configuration from the database but leaves the alternative code pathβ€”loading MCP servers directly from user-supplied JSONβ€”unpatched. Since the mcp_source field is optional, an attacker can omit it or set it to a non-referencing value to bypass the fix.

By calling the workflow creation API with a crafted JSON payload, an attacker can inject a fully controlled MCP node configuration that uses stdio transport with arbitrary commands and arguments. This leads to remote code execution when the workflow is triggered via chat.

The vulnerability is due to improper neutralization of special elements used in OS commands (CWE-78), allowing command injection through unsanitized input.

Impact Analysis

This vulnerability allows an attacker with low privileges and requiring user interaction to execute arbitrary operating system commands remotely on the affected system. This can lead to unauthorized actions such as executing malicious code, compromising system integrity, leaking sensitive information, or disrupting availability.

Because the attacker can inject commands via the workflow creation API and trigger them through chat, it poses a risk of remote exploitation that could affect the confidentiality, integrity, and availability of the system, albeit with low impact severity as per the CVSS score.

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious API calls to the workflow creation endpoint that include crafted JSON payloads manipulating the MCP node configuration, especially those omitting or setting the mcp_source field to non-referencing values and including stdio transport with arbitrary commands.

Since the vulnerability exploits the workflow creation API with user-supplied JSON, network or application logs should be inspected for unusual POST requests containing JSON with mcp_servers fields that include stdio transport or unexpected command arguments.

Specific commands to detect exploitation attempts are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade MaxKB to version 2.8.0 or later, where the vulnerability has been fixed by adding validation of MCP transport configurations to prevent command injection.

If upgrading immediately is not possible, restrict access to the workflow creation API to trusted users only, and monitor or block requests that attempt to supply custom MCP node configurations with stdio transport.

Review and apply the patch that integrates the ToolExecutor().validate_mcp_transport() method to validate MCP stdio transport configurations, as described in the fix details.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart