CVE-2026-39420
Sandbox Escape via LD_PRELOAD Bypass in MaxKB AI Assistant
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MaxKB allows an authenticated user with tool execution privileges to escape sandbox restrictions and achieve unrestricted remote code execution and network access. This could potentially lead to unauthorized access to sensitive data or systems.
Such unauthorized access and potential data exposure or modification could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality, integrity, and access.
However, the CVE description and resources do not explicitly discuss compliance implications or specific regulatory impacts.
Can you explain this vulnerability to me?
CVE-2026-39420 is a vulnerability in MaxKB, an open-source AI assistant for enterprise, affecting versions 2.7.1 and below. The issue arises from an incomplete sandbox protection mechanism that allows an authenticated user with tool execution privileges to escape the sandbox.
MaxKB uses a sandbox implemented by injecting a shared library (sandbox.so) via the LD_PRELOAD environment variable to restrict untrusted Python code execution, limiting network and file system access by intercepting critical C library functions like execve, socket, and open.
However, the sandbox allows execution of the /usr/bin/env utility. An attacker can use the command `env -i python` to clear all environment variables, including LD_PRELOAD, effectively disabling the sandbox hooks in the newly spawned Python process. This lets the attacker bypass all sandbox restrictions.
As a result, the attacker gains unrestricted Remote Code Execution (RCE) and network access within the environment.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with tool execution privileges to escape the sandbox restrictions intended to limit code execution and network/file system access.
By bypassing the sandbox, the attacker can execute arbitrary code remotely without restrictions, potentially leading to unauthorized access to system resources and network communications.
The impact includes low confidentiality, integrity, and availability risks, meaning limited data exposure, modification, or service disruption, but still poses a moderate security risk due to the ability to execute unrestricted code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of sandbox escape attempts using the env command with the -i flag to clear environment variables, which drops the LD_PRELOAD sandbox hook.
You can monitor for suspicious subprocess executions that use commands like `env -i python` or similar invocations that clear environment variables and bypass sandbox restrictions.
Example commands to detect such activity include:
- Use process monitoring tools (e.g., `ps aux | grep 'env -i python'`) to find running processes that may be bypassing the sandbox.
- Check shell history or audit logs for commands invoking `env -i` with Python or other interpreters.
- Use system auditing tools like `auditd` to track executions of `/usr/bin/env` with the `-i` flag.
- Inspect environment variables of running processes to verify if LD_PRELOAD is unexpectedly missing where it should be set.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade MaxKB to version 2.8.0 or later, where the vulnerability has been fixed.
The fix involves changing the sandbox execution method to prevent environment variable clearing bypasses by:
- Replacing the use of `runuser` with `gosu` to switch users after clearing the environment, preventing sandbox escape.
- Removing group execute and read permissions on the `/usr/bin/env` binary to reduce privilege escalation risks.
- Restricting permissions on sandbox-related files and directories (e.g., `/opt/maxkb-app/sandbox/lib`) to limit access.
If immediate upgrade is not possible, consider monitoring and restricting usage of `/usr/bin/env` with the `-i` flag and limiting tool execution privileges to trusted users only.