CVE-2026-39419
Received Received - Intake
Sandbox Bypass in MaxKB Allows Spoofed Tool Execution Results

Publication date: 2026-04-14

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39419
EUVD
EUVD-2026-22191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
maxkb maxkb to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying attempts to spoof tool execution results by exploiting Python frame introspection and early process termination in MaxKB versions 2.7.1 and below.

One approach is to monitor for suspicious Python processes that use frame introspection to read wrapper UUIDs from bytecode constants and then write forged results directly to file descriptor 1, bypassing stdout redirection.

Since the attack involves writing directly to file descriptor 1 using os.write(1, payload) and calling sys.exit(0) early, you can look for unusual Python subprocess executions or unexpected early exits in MaxKB tool wrappers.

Commands to help detect this behavior might include:

  • Using process monitoring tools (e.g., ps, top) to identify Python processes running MaxKB wrappers.
  • Using strace or similar system call tracing tools to detect calls to os.write on file descriptor 1 from Python processes.
  • Checking logs for unexpected early termination of MaxKB subprocesses (sys.exit(0) calls).
  • Reviewing MaxKB debug logs for missing or malformed output markers such as the expected UUID prefix and "__END__" marker, which indicate tampering or incomplete execution.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade MaxKB to version 2.8.0 or later, where this vulnerability has been fixed.

The fix includes replacing the UUID generation with a cryptographically secure token, passing this token securely via environment variables, and verifying output integrity by checking for the token prefix and an "__END__" marker.

Until you can upgrade, consider monitoring and restricting authenticated user actions that can execute custom Python code within MaxKB, as the vulnerability requires authenticated access.

Additionally, review and tighten subprocess execution permissions and sandboxing configurations to limit the ability to exploit Python frame introspection and early process termination.

Impact Analysis

This vulnerability allows an attacker with authentication to compromise the integrity of tool execution results within MaxKB.

Specifically, the attacker can cause MaxKB to accept forged execution results, potentially leading to incorrect or manipulated data being processed or trusted by the system.

The CVSS v3.1 base score is 3.1, indicating a low severity impact focused on integrity, with no impact on confidentiality or availability.

Compliance Impact

The vulnerability in MaxKB allows an authenticated user to spoof tool execution results by bypassing sandbox result validation, leading to a low-severity integrity impact. While there is no confidentiality or availability impact, the integrity of the tool execution results can be compromised.

This integrity issue could potentially affect compliance with standards and regulations that require data integrity and trustworthy processing of information, such as GDPR and HIPAA. Specifically, if MaxKB is used in environments subject to these regulations, the ability to spoof results might undermine the reliability of automated decision-making or audit trails, which are critical for compliance.

However, the CVE description and resources do not explicitly mention compliance impacts or specific regulatory consequences.

Executive Summary

CVE-2026-39419 is a vulnerability in MaxKB versions 2.7.1 and below where an authenticated user can spoof tool execution results by bypassing sandbox result validation.

The attacker exploits Python frame introspection to read a unique identifier (_id) embedded in the wrapper script's bytecode constants. Using this _id, the attacker forges a JSON response and writes it directly to the system's standard output file descriptor, bypassing normal output redirection.

By calling sys.exit(0) immediately after writing the forged output, the attacker terminates the process before the legitimate output is printed. As a result, the MaxKB service trusts the spoofed response as genuine.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart