CVE-2026-39417
Remote Code Execution in MaxKB MCP Node Workflow Engine
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-39417 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39417 is a Remote Code Execution (RCE) vulnerability in the MCP node of the MaxKB workflow engine affecting versions 2.7.1 and below. It stems from an incomplete fix for a previous vulnerability (CVE-2025-53928). The issue arises because MaxKB restricts loading MCP configuration from the database but leaves the alternative code pathβloading MCP servers directly from user-supplied JSONβunpatched. Since the mcp_source field is optional, an attacker can omit it or set it to a non-referencing value to bypass the fix.
By calling the workflow creation API with a crafted JSON payload, an attacker can inject a fully controlled MCP node configuration that uses stdio transport with arbitrary commands and arguments. This leads to remote code execution when the workflow is triggered via chat.
The vulnerability is due to improper neutralization of special elements used in OS commands (CWE-78), allowing command injection through unsanitized input.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low privileges and requiring user interaction to execute arbitrary operating system commands remotely on the affected system. This can lead to unauthorized actions such as executing malicious code, compromising system integrity, leaking sensitive information, or disrupting availability.
Because the attacker can inject commands via the workflow creation API and trigger them through chat, it poses a risk of remote exploitation that could affect the confidentiality, integrity, and availability of the system, albeit with low impact severity as per the CVSS score.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious API calls to the workflow creation endpoint that include crafted JSON payloads manipulating the MCP node configuration, especially those omitting or setting the mcp_source field to non-referencing values and including stdio transport with arbitrary commands.
Since the vulnerability exploits the workflow creation API with user-supplied JSON, network or application logs should be inspected for unusual POST requests containing JSON with mcp_servers fields that include stdio transport or unexpected command arguments.
Specific commands to detect exploitation attempts are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade MaxKB to version 2.8.0 or later, where the vulnerability has been fixed by adding validation of MCP transport configurations to prevent command injection.
If upgrading immediately is not possible, restrict access to the workflow creation API to trusted users only, and monitor or block requests that attempt to supply custom MCP node configurations with stdio transport.
Review and apply the patch that integrates the ToolExecutor().validate_mcp_transport() method to validate MCP stdio transport configurations, as described in the fix details.