CVE-2026-45413: CWE-328: Use of Weak Hash in 1Panel-dev MaxKB
CVE-2026-45413 affects MaxKB, an open-source AI assistant for enterprise, where versions prior to 2. 9. 1 store user passwords using unsalted MD5 hashes. This weak hashing method makes passwords trivially crackable using rainbow tables or GPU-accelerated brute force tools. The vulnerability is addressed in version 2. 9. 1, which replaces the weak hash storage method. The CVSS 4. 0 score is 6. 9, indicating a medium severity level.
AI Analysis
Technical Summary
MaxKB versions before 2.9.1 use unsalted MD5 hashes to store user passwords, a cryptographic weakness classified under CWE-328 (Use of Weak Hash). Unsalted MD5 hashes are vulnerable to precomputed rainbow table attacks and GPU-accelerated brute force, enabling attackers to recover plaintext passwords easily. This vulnerability was publicly disclosed and assigned CVE-2026-45413. The issue is resolved in MaxKB version 2.9.1 by implementing a stronger password hashing mechanism.
Potential Impact
Passwords stored with unsalted MD5 hashes can be quickly cracked if an attacker obtains the hash values, compromising user credentials. This can lead to unauthorized access to user accounts within affected MaxKB deployments. There is no indication of remote exploitability without local access or other conditions, and no known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade MaxKB to version 2.9.1 or later, where the password storage mechanism has been fixed to use a stronger hashing method. Since no official remediation level or patch links are provided, users should verify the upgrade availability from the vendor or project repository. Patch status is not yet confirmed via vendor advisory; check the official MaxKB sources for current remediation guidance.
CVE-2026-45413: CWE-328: Use of Weak Hash in 1Panel-dev MaxKB
Description
CVE-2026-45413 affects MaxKB, an open-source AI assistant for enterprise, where versions prior to 2. 9. 1 store user passwords using unsalted MD5 hashes. This weak hashing method makes passwords trivially crackable using rainbow tables or GPU-accelerated brute force tools. The vulnerability is addressed in version 2. 9. 1, which replaces the weak hash storage method. The CVSS 4. 0 score is 6. 9, indicating a medium severity level.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MaxKB versions before 2.9.1 use unsalted MD5 hashes to store user passwords, a cryptographic weakness classified under CWE-328 (Use of Weak Hash). Unsalted MD5 hashes are vulnerable to precomputed rainbow table attacks and GPU-accelerated brute force, enabling attackers to recover plaintext passwords easily. This vulnerability was publicly disclosed and assigned CVE-2026-45413. The issue is resolved in MaxKB version 2.9.1 by implementing a stronger password hashing mechanism.
Potential Impact
Passwords stored with unsalted MD5 hashes can be quickly cracked if an attacker obtains the hash values, compromising user credentials. This can lead to unauthorized access to user accounts within affected MaxKB deployments. There is no indication of remote exploitability without local access or other conditions, and no known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade MaxKB to version 2.9.1 or later, where the password storage mechanism has been fixed to use a stronger hashing method. Since no official remediation level or patch links are provided, users should verify the upgrade availability from the vendor or project repository. Patch status is not yet confirmed via vendor advisory; check the official MaxKB sources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-12T01:48:40.452Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16041de29bf47b505ea076
Added to database: 5/26/2026, 8:35:41 PM
Last enriched: 5/26/2026, 8:49:20 PM
Last updated: 5/27/2026, 4:55:42 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.