CVE-2026-42336 | THREATINT

Description

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-26 | Updated 2026-05-27 | Assigner GitHub_M

MEDIUM: 5.1CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Problem types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 2.8.1

affected

References

github.com/.../MaxKB/security/advisories/GHSA-6m4p-9wwc-4q5q

cve.org (CVE-2026-42336)

nvd.nist.gov (CVE-2026-42336)

Download JSON