CVE-2026-39420: CWE-693: Protection Mechanism Failure in 1Panel-dev MaxKB
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0.
AI Analysis
Technical Summary
MaxKB, an open-source AI assistant, uses LD_PRELOAD to inject sandbox.so for restricting untrusted Python code execution by intercepting sensitive C library functions. In versions 2.7.1 and earlier, the sandbox can be bypassed because the /usr/bin/env utility can be executed with the -i flag, which clears all environment variables including LD_PRELOAD. This causes the spawned Python process to run without sandbox restrictions, allowing an authenticated user with tool execution privileges to perform unrestricted remote code execution and network access. The vulnerability is identified as CWE-693 (Protection Mechanism Failure) and CWE-78 (OS Command Injection). It has a CVSS 3.1 score of 6.3 (medium severity) and was fixed in MaxKB version 2.8.0.
Potential Impact
An authenticated user with tool execution privileges can bypass sandbox restrictions intended to limit network and file system access, resulting in unrestricted remote code execution and network access. This compromises the security boundaries enforced by the sandbox, potentially allowing malicious actions within the enterprise environment where MaxKB is deployed.
Mitigation Recommendations
Upgrade MaxKB to version 2.8.0 or later, where this sandbox bypass vulnerability has been fixed. Since this is an open-source product and no official patch link or advisory is provided, users should verify they are running a version at or above 2.8.0. Patch status is not explicitly confirmed beyond the version fix; check the vendor repository or official release notes for confirmation.
CVE-2026-39420: CWE-693: Protection Mechanism Failure in 1Panel-dev MaxKB
Description
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0.
CVSS v3.1
Score 6.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MaxKB, an open-source AI assistant, uses LD_PRELOAD to inject sandbox.so for restricting untrusted Python code execution by intercepting sensitive C library functions. In versions 2.7.1 and earlier, the sandbox can be bypassed because the /usr/bin/env utility can be executed with the -i flag, which clears all environment variables including LD_PRELOAD. This causes the spawned Python process to run without sandbox restrictions, allowing an authenticated user with tool execution privileges to perform unrestricted remote code execution and network access. The vulnerability is identified as CWE-693 (Protection Mechanism Failure) and CWE-78 (OS Command Injection). It has a CVSS 3.1 score of 6.3 (medium severity) and was fixed in MaxKB version 2.8.0.
Potential Impact
An authenticated user with tool execution privileges can bypass sandbox restrictions intended to limit network and file system access, resulting in unrestricted remote code execution and network access. This compromises the security boundaries enforced by the sandbox, potentially allowing malicious actions within the enterprise environment where MaxKB is deployed.
Mitigation Recommendations
Upgrade MaxKB to version 2.8.0 or later, where this sandbox bypass vulnerability has been fixed. Since this is an open-source product and no official patch link or advisory is provided, users should verify they are running a version at or above 2.8.0. Patch status is not explicitly confirmed beyond the version fix; check the vendor repository or official release notes for confirmation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T00:23:30.595Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd958882d89c981f9c5820
Added to database: 4/14/2026, 1:16:56 AM
Last enriched: 4/21/2026, 5:58:31 AM
Last updated: 5/29/2026, 2:43:58 AM
Views: 131
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.