CVE-2026-44847 HIGH

CVE-2026-44847: MaxKB: Webhook Trigger Authentication Bypass

Vendor 1Panel-Dev
Product MaxKB
Weakness CWE-287 · Improper authentication
Published May 26, 2026
Last update June 1, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
June 1, 2026 Record updated