CVE-2026-45413
Weak Password Storage in MaxKB Prior to 2.9.1
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | 2.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves storing user passwords using unsalted MD5 hashes, which are easily crackable. Such weak password storage practices can lead to unauthorized access to user data if passwords are compromised.
Using insecure password hashing methods like unsalted MD5 may violate security requirements in common standards and regulations such as GDPR and HIPAA, which mandate appropriate safeguards to protect personal and sensitive data.
Therefore, this vulnerability could negatively impact compliance with these regulations by failing to ensure adequate protection of user credentials.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade MaxKB to version 2.9.1 or later, where the vulnerability is fixed.
Additionally, consider resetting user passwords after the upgrade to ensure that new passwords are stored securely.
Can you explain this vulnerability to me?
The vulnerability in MaxKB, an open-source AI assistant for enterprise, involves the way user passwords were stored prior to version 2.9.1. Passwords were hashed using unsalted MD5 hashes, which are weak and easily cracked using rainbow tables or GPU-accelerated brute force tools like hashcat.
How can this vulnerability impact me? :
Because passwords are stored using unsalted MD5 hashes, attackers can easily crack these hashes to recover user passwords. This can lead to unauthorized access to user accounts and potentially compromise sensitive enterprise data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves user passwords being stored using unsalted MD5 hashes prior to version 2.9.1 of MaxKB. To detect if your system is affected, you should check the version of MaxKB installed and inspect the password storage method.
- Verify the MaxKB version installed on your system to see if it is prior to 2.9.1.
- Check the password hashes stored in the system to determine if they are unsalted MD5 hashes.
Example commands to assist detection might include:
- Check MaxKB version: `maxkb --version` or check the installed package version via your package manager.
- Inspect password hashes in the database or configuration files for MD5 hash patterns (32 hexadecimal characters) without salts.