CVE-2026-42337 MEDIUM

CVE-2026-42337: MaxKB: Broken Access Control in MaxKB OSS URL Fetch API

Vendor 1Panel-Dev
Product MaxKB
Weakness CWE-862 · Missing authorization
Published May 26, 2026
Last update May 27, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-47836 WordPress WP Meta and Date Remover plugin <= 2.3.0 - Broken Access Control vulnerability CVE-2023-44227 WordPress Simple File List Plugin <= 6.1.9 is vulnerable to Arbitrary File Deletion CVE-2026-32268 Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability CVE-2026-0817 CampaignEvents API missing authorization exposes meeting and chat URLs CVE-2026-24525 WordPress CLP Varnish Cache plugin <= 1.0.2 - Broken Access Control vulnerability