CVE-2026-54149
Received Received - Intake

Remote Code Execution in MaxKB via Malicious MCP Tool Import

Vulnerability report for CVE-2026-54149, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not consistently validate MCP transport type, allowing an authenticated user to import a .tool file containing stdio transport with malicious commands and trigger the configuration through an AI Chat node so MultiServerMCPClient executes arbitrary system commands. This issue is fixed in version 2.10.0-lts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
1panel-dev maxkb to 2.10.0-lts (exc)
maxkb maxkb 2.10.0-lts

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to execute arbitrary system commands on the server, potentially leading to complete system compromise, data theft, lateral movement, and persistent backdoor installation.

Such unauthorized access and data breaches could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Failure to address this vulnerability could expose organizations to regulatory penalties due to compromised confidentiality, integrity, and availability of data.

Executive Summary

CVE-2026-54149 is a post-authentication remote code execution (RCE) vulnerability in MaxKB, an open-source AI assistant for enterprise. The issue arises because the MaxKB tool import functionality and the MCP referencing mode do not properly validate the MCP transport type when importing .tool files. This allows an authenticated user to import a malicious .tool file containing stdio transport with harmful commands. These commands are then executed by the MultiServerMCPClient component, leading to arbitrary system command execution on the server.

The vulnerability stems from two main flaws: the import function in apps/tools/serializers/tool.py fails to validate the transport type, and the AI Chat node referencing mode in base_chat_step.py also omits this validation. Attackers can store malicious MCP configurations in the database, which are later executed via subprocess.Popen, resulting in full server compromise.

Exploitation requires only a valid MaxKB account, which can be self-registered, making the attack straightforward and highly dangerous.

Impact Analysis

This vulnerability can have severe impacts including complete system control by an attacker. Once exploited, the attacker can execute arbitrary system commands on the server hosting MaxKB.

  • Full server compromise
  • Data theft
  • Lateral movement within the network
  • Installation of persistent backdoors

Because exploitation only requires a valid MaxKB account, which can be self-registered, the risk of attack is high and can lead to significant operational and security consequences.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious import of .tool files containing stdio transport configurations that execute arbitrary commands. Since exploitation requires authenticated access, reviewing logs for unusual import activities or API interactions by authenticated users is important.

Specifically, detection can focus on identifying imported MCP configurations that include stdio transport with suspicious commands, as well as monitoring execution of subprocesses triggered by MultiServerMCPClient.

While no explicit commands are provided in the resources, general detection steps could include:

  • Review MaxKB application logs for import events of .tool files and check for presence of stdio transport entries.
  • Monitor process execution on the server for unexpected subprocesses spawned by the MaxKB service, especially those initiated by MultiServerMCPClient.
  • Use network monitoring tools to detect unusual API calls or authenticated user activities related to tool imports.
Mitigation Strategies

The immediate mitigation step is to upgrade MaxKB to version 2.10.0-lts or later, where this vulnerability has been fixed by adding proper validation of MCP transport types during tool import and referencing.

Until the upgrade can be applied, restrict or monitor authenticated user access to the import functionality to prevent malicious .tool file uploads.

Additionally, implement defensive monitoring for suspicious subprocess executions triggered by the MaxKB AI Chat node and MultiServerMCPClient.

Consider applying network segmentation and limiting API access to trusted users only to reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart