CVE-2026-42337
Received Received - Intake
Broken Access Control in MaxKB Application

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-42337
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
maxkb maxkb to 2.8.1 (exc)
maxkb maxkb 2.8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can allow attackers to bypass access controls and perform unauthorized operations under other applications' policies. This could lead to unauthorized access to sensitive data or manipulation of resources belonging to other applications, potentially compromising confidentiality and integrity within the MaxKB environment.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade MaxKB to version 2.8.1 or later, where the broken access control issue in the OSS file service URL fetch API (chat/api/oss/get_url) has been fixed.


Can you explain this vulnerability to me?

The vulnerability in MaxKB versions 2.8.0 and earlier is a broken access control issue in the OSS file service URL fetch API endpoint (chat/api/oss/get_url). This endpoint uses the application_id from the URL path without verifying if the requester actually owns that application_id. As a result, attackers can exploit this flaw to perform operations under the policies of other applications, potentially accessing or manipulating data they should not have access to. This vulnerability was fixed in version 2.8.1.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in MaxKB 2.8.0 and prior allows attackers to bypass access controls and perform operations under other applications' policies by exploiting the OSS file service URL fetch API without proper ownership validation.

Such broken access control can lead to unauthorized data access or manipulation, which may result in violations of data protection regulations like GDPR or HIPAA that require strict access controls and data confidentiality.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive data or allowing unauthorized actions within the affected system.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart