Compliance Impact

The vulnerability allows arbitrary code execution on an administrator's workstation via maliciously crafted exported Excel files, which could lead to unauthorized access or manipulation of sensitive enterprise data.

Such a security flaw may impact compliance with data protection regulations like GDPR and HIPAA by increasing the risk of data breaches or unauthorized data processing due to exploitation of the CSV Injection vulnerability.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-39424 is a CSV/Formula Injection vulnerability in the MaxKB application's chat export feature for versions 2.7.1 and below. When an administrator exports chat history to an Excel (.xlsx) file, user-supplied strings that start with formula characters such as '=', '+', '-', or '@' are written directly into the spreadsheet without proper sanitization.

Because spreadsheet applications like Microsoft Excel interpret these characters as formulas, this can lead to the execution of arbitrary code on the administrator's workstation via Dynamic Data Exchange (DDE). The vulnerability arises from the export function not neutralizing these formula prefixes, allowing malicious input to be executed when the file is opened.

This issue was fixed in version 2.8.0 by modifying the data sanitization process to prefix any string starting with these special characters with a single quote, preventing the spreadsheet from interpreting the content as a formula.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to Arbitrary Code Execution (RCE) on the administrator's workstation when they open the exported Excel file containing maliciously crafted chat data.

An attacker could exploit this by injecting malicious formulas into chat messages that, when exported and opened, execute harmful commands via Dynamic Data Exchange (DDE) in spreadsheet software.

The impact includes potential compromise of the administrator's system, unauthorized access, data theft, or further malware installation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by examining exported chat history files (.xlsx or CSV) from the MaxKB application for the presence of cell values starting with formula characters such as '=', '+', '-', or '@'. These values, if not properly sanitized, indicate the vulnerability.

You can check exported files for such formula prefixes using commands like the following on a system where the files are stored:

• For CSV files: grep -E '^(=|\+|-|@)' exported_chat.csv
• For Excel (.xlsx) files, you can convert them to CSV using tools like xlsx2csv or use Python scripts with libraries such as openpyxl or pandas to scan cell values for formula prefixes.

Additionally, monitoring network traffic for requests to the vulnerable endpoint `/admin/api/workspace/{workspace_id}/application/{application_id}/chat/export` may help identify export activity that could produce vulnerable files.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the MaxKB application to version 2.8.0 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, avoid opening exported chat history files in spreadsheet applications like Microsoft Excel that interpret formula characters.

Alternatively, manually sanitize exported files by ensuring that any cell values starting with '=', '+', '-', or '@' are prefixed with a single quote (') to neutralize formula execution.

Administrators should also restrict access to the export endpoint and monitor for suspicious export activity.

Useful 0 Not Useful 0