Executive Summary

CVE-2026-56779 is a Server-Side Request Forgery (SSRF) vulnerability found in MaxKB versions before 2.10.0. It affects the tool creation and update endpoints, where authenticated users can supply unvalidated parameters named downloadCallbackUrl and download_url. Because these parameters are not properly validated, attackers with the default workspace USER role can make arbitrary server requests from the vulnerable server.

This means an attacker can exploit this flaw to access internal network services by submitting malicious URLs to the ToolSerializer endpoints, potentially reaching internal resources that are not normally accessible externally.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with authenticated access and the default USER role to perform unauthorized internal network requests from the vulnerable MaxKB server. This can lead to exposure of internal services and data that are normally protected behind firewalls or network segmentation.

Such unauthorized internal requests could be used to access sensitive internal resources, potentially leading to information disclosure or further exploitation within the internal network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized requests to the tool creation and update endpoints that include the parameters downloadCallbackUrl and download_url with suspicious or internal network URLs.

A proof of concept involves triggering internal connections, such as to a Redis instance on port 6379, by providing a malicious callback URL.

To detect exploitation attempts, you can inspect logs for requests containing these parameters with unexpected URLs or use network monitoring tools to identify outgoing requests to internal services initiated by the application.

• Use command-line tools like curl or wget to simulate requests with suspicious downloadCallbackUrl or download_url parameters to test if the server makes internal requests.
• Example curl command to test the vulnerability (replace <target_url> and <malicious_url>): curl -X POST <target_url>/api/tool/create -d '{"downloadCallbackUrl":"<malicious_url>"}' -H 'Content-Type: application/json' -u user:password
• Monitor application logs for entries where downloadCallbackUrl or download_url parameters contain internal IP addresses or unexpected domains.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the SSRF vulnerability in MaxKB affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MaxKB to version 2.10.0 or later, where the vulnerability has been patched by adding validation for downloadCallbackUrl and download_url parameters.

If upgrading immediately is not possible, restrict access to the tool creation and update endpoints to trusted users only and monitor for suspicious activity involving these parameters.

Implement network-level controls to prevent the application server from making unauthorized requests to internal network services.

Apply domain validation checks on the downloadCallbackUrl and download_url parameters to ensure they only allow safe, expected domains.

Useful 0 Not Useful 0