CVE-2026-6108
Received Received - Intake
Remote OS Command Injection in 1Panel-dev MaxKB Model Context Node

Publication date: 2026-04-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6108
EUVD
EUVD-2026-21690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
1panel-dev maxkb to 2.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6108 is a Remote Code Execution (RCE) vulnerability in MaxKB (version up to 2.6.1) caused by improper validation of Model Context Protocol (MCP) server configurations.

The vulnerability arises because MaxKB attempts to restrict MCP transport types to a whitelist containing only "sse" and "streamable_http", but this validation is only applied in the MCP servers listing API endpoint and is bypassed during application workflow editing and execution.

Specifically, the edit() method saves MCP server configurations directly into the database without validation, and the execute() method loads and uses these configurations without checking them. This allows an attacker to inject arbitrary shell commands via a specially crafted MCP server transport configuration using the "stdio" transport type.

When the workflow containing this malicious configuration is executed, the attacker-controlled commands run on the MaxKB server, leading to remote code execution.

Impact Analysis

This vulnerability allows an attacker with access to the workflow editing functionality to execute arbitrary shell commands on the MaxKB server remotely.

The impact includes potential full compromise of the affected server, unauthorized access to sensitive data, disruption of services, and the ability to install malware or pivot to other systems within the network.

Because the exploit is publicly available and the vulnerability is remotely exploitable, the risk of attack is significant if the affected version is in use and not patched.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized modifications to MCP server configurations, especially those involving the 'stdio' transport type which allows command injection.

Since the exploit involves injecting arbitrary shell commands via the workflow edit endpoint, you can look for suspicious API calls to the PUT /api/workspace/{workspace_id}/application/{application_id}/edit endpoint that include MCP server configurations with transport types outside the whitelist ("sse" and "streamable_http"), particularly "stdio".

Suggested commands to detect potential exploitation attempts include:

  • Inspect web server or application logs for PUT requests to the edit endpoint containing 'stdio' or suspicious command strings, e.g., using grep: `grep -i 'stdio' /var/log/maxkb/access.log`
  • Monitor running processes or command history for unexpected shell commands that could be injected, e.g., `ps aux | grep bash` or `history | grep id`
  • Check the database entries for MCP server configurations containing non-whitelisted transport types by querying the relevant tables storing MCP configurations.
Mitigation Strategies

The immediate mitigation step is to upgrade the affected MaxKB component to a fixed version released by the vendor that improves whitelist validation and blocks non-whitelisted transports during all relevant operations.

Until an upgrade can be applied, restrict access to the workflow edit API endpoint (PUT /api/workspace/{workspace_id}/application/{application_id}/edit) to trusted and authenticated users only, and monitor for suspicious activity.

Additionally, review and sanitize MCP server configurations stored in the system to remove any entries using the 'stdio' transport or other unauthorized transport types.

Implement network-level controls to limit exposure of the MaxKB server to untrusted networks.

Compliance Impact

The provided information does not specify how CVE-2026-6108 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart