CVE-2026-42335: CWE-918: Server-Side Request Forgery (SSRF) in 1Panel-dev MaxKB
MaxKB versions prior to 2. 8. 1 contain a server-side request forgery (SSRF) vulnerability in the OSS file service URL fetch endpoint. This flaw arises from inconsistent URL parsing between the validation function and the HTTP client, enabling attackers to potentially access internal network services. The vulnerability is fixed in version 2. 8. 1. The CVSS 4. 0 base score is 6. 3, indicating a medium severity risk.
AI Analysis
Technical Summary
CVE-2026-42335 is a server-side request forgery (SSRF) vulnerability affecting MaxKB, an open-source AI assistant for enterprise, in versions prior to 2.8.1. The issue exists in the OSS file service URL fetch endpoint (chat/api/oss/get_url) due to inconsistent URL parsing between the urlparse validation function and the requests HTTP client. This inconsistency allows attackers to bypass URL validation and make unauthorized requests to internal network services. The vulnerability has been addressed and fixed in MaxKB version 2.8.1.
Potential Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to make unauthorized HTTP requests from the vulnerable server to internal network services, potentially exposing sensitive internal resources. However, there are no known exploits in the wild at this time. The CVSS score of 6.3 reflects a medium severity impact with network attack vector, low attack complexity, and no privileges or user interaction required.
Mitigation Recommendations
Upgrade MaxKB to version 2.8.1 or later, where this SSRF vulnerability has been fixed. Since this is a self-hosted product, users must apply the update themselves. Patch status is confirmed fixed in 2.8.1. No additional mitigations are specified in the vendor advisory.
CVE-2026-42335: CWE-918: Server-Side Request Forgery (SSRF) in 1Panel-dev MaxKB
Description
MaxKB versions prior to 2. 8. 1 contain a server-side request forgery (SSRF) vulnerability in the OSS file service URL fetch endpoint. This flaw arises from inconsistent URL parsing between the validation function and the HTTP client, enabling attackers to potentially access internal network services. The vulnerability is fixed in version 2. 8. 1. The CVSS 4. 0 base score is 6. 3, indicating a medium severity risk.
CVSS v4.0
Score 6.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42335 is a server-side request forgery (SSRF) vulnerability affecting MaxKB, an open-source AI assistant for enterprise, in versions prior to 2.8.1. The issue exists in the OSS file service URL fetch endpoint (chat/api/oss/get_url) due to inconsistent URL parsing between the urlparse validation function and the requests HTTP client. This inconsistency allows attackers to bypass URL validation and make unauthorized requests to internal network services. The vulnerability has been addressed and fixed in MaxKB version 2.8.1.
Potential Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to make unauthorized HTTP requests from the vulnerable server to internal network services, potentially exposing sensitive internal resources. However, there are no known exploits in the wild at this time. The CVSS score of 6.3 reflects a medium severity impact with network attack vector, low attack complexity, and no privileges or user interaction required.
Mitigation Recommendations
Upgrade MaxKB to version 2.8.1 or later, where this SSRF vulnerability has been fixed. Since this is a self-hosted product, users must apply the update themselves. Patch status is confirmed fixed in 2.8.1. No additional mitigations are specified in the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T13:26:14.514Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16041ae29bf47b505e9f25
Added to database: 5/26/2026, 8:35:38 PM
Last enriched: 5/26/2026, 8:50:01 PM
Last updated: 5/27/2026, 5:02:12 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.