CVE-2026-45413
Deferred Deferred - Pending Action
Weak Password Storage in MaxKB Prior to 2.9.1

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat). This vulnerability is fixed in 2.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-45413
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
maxkb maxkb 2.9.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability involves storing user passwords using unsalted MD5 hashes, which are easily crackable. Such weak password storage practices can lead to unauthorized access to user data if passwords are compromised.

Using insecure password hashing methods like unsalted MD5 may violate security requirements in common standards and regulations such as GDPR and HIPAA, which mandate appropriate safeguards to protect personal and sensitive data.

Therefore, this vulnerability could negatively impact compliance with these regulations by failing to ensure adequate protection of user credentials.

Mitigation Strategies

The primary mitigation step is to upgrade MaxKB to version 2.9.1 or later, where the vulnerability is fixed.

Additionally, consider resetting user passwords after the upgrade to ensure that new passwords are stored securely.

Executive Summary

The vulnerability in MaxKB, an open-source AI assistant for enterprise, involves the way user passwords were stored prior to version 2.9.1. Passwords were hashed using unsalted MD5 hashes, which are weak and easily cracked using rainbow tables or GPU-accelerated brute force tools like hashcat.

Impact Analysis

Because passwords are stored using unsalted MD5 hashes, attackers can easily crack these hashes to recover user passwords. This can lead to unauthorized access to user accounts and potentially compromise sensitive enterprise data.

Detection Guidance

This vulnerability involves user passwords being stored using unsalted MD5 hashes prior to version 2.9.1 of MaxKB. To detect if your system is affected, you should check the version of MaxKB installed and inspect the password storage method.

  • Verify the MaxKB version installed on your system to see if it is prior to 2.9.1.
  • Check the password hashes stored in the system to determine if they are unsalted MD5 hashes.

Example commands to assist detection might include:

  • Check MaxKB version: `maxkb --version` or check the installed package version via your package manager.
  • Inspect password hashes in the database or configuration files for MD5 hash patterns (32 hexadecimal characters) without salts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart