{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39420", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.595Z", "datePublished": "2026-04-14T00:13:01.189Z", "dateUpdated": "2026-04-14T00:13:01.189Z"}, "containers": {"cna": {"title": "MaxKB: Sandbox escape via LD_PRELOAD bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-7wgv-v2r3-7f7w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-7wgv-v2r3-7f7w"}, {"name": "https://github.com/1Panel-dev/MaxKB/commit/2d17b08e6b060329803754a05e806d0ddecf3fa8", "tags": ["x_refsource_MISC"], "url": "https://github.com/1Panel-dev/MaxKB/commit/2d17b08e6b060329803754a05e806d0ddecf3fa8"}, {"name": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"}], "affected": [{"vendor": "1Panel-dev", "product": "MaxKB", "versions": [{"version": "< 2.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T00:13:01.189Z"}, "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0."}], "source": {"advisory": "GHSA-7wgv-v2r3-7f7w", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0."}], "id": "CVE-2026-39420", "lastModified": "2026-04-14T01:16:04.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T01:16:04.530", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/1Panel-dev/MaxKB/commit/2d17b08e6b060329803754a05e806d0ddecf3fa8"}, {"source": "security-advisories@github.com", "url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-7wgv-v2r3-7f7w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.8.0)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "MaxKB", "source": "cna", "vendor": "1Panel-dev"}, "product": "maxkb", "vendor": "1panel"}], "analysis": {"en": {"generated_at": "2026-04-14T02:21:50.572880+00:00", "value": {"mitigation_remediation": ["Update MaxKB to version 2.8.0 or later to restore proper sandbox enforcement.", "If an upgrade is not immediately possible, deny the sandboxed user the ability to execute /usr/bin/env by removing it from the allowed executable list or by replacing env with a wrapper that blocks the -i option.", "Restrict tool execution privileges so that only trusted administrators can invoke the API that spawns subprocesses.", "Monitor logs for unexpected use of env \u2013i or other process creations from sandboxed users to detect exploitation attempts."], "summary": {"action": "Immediate patch", "impact": "Remote code execution after sandbox escape via LD_PRELOAD removal"}, "threat_synthesis": {"affected_systems": "The affected product is the open\u2011source AI assistant MaxKB developed by 1Panel\u2011dev. Any deployment using version 2.7.1 or earlier is vulnerable; the issue was patched in release 2.8.0.", "description_and_impact": "MaxKB implements a sandbox that injects a shared object through LD_PRELOAD to monitor critical libc calls used by untrusted Python code executed via its Tool Debug API. In versions up to and including 2.7.1 the sandbox permits the /usr/bin/env utility for sandboxed users, and the env -i option clears all environment variables, including LD_PRELOAD. An authenticated user with tool execution privileges can therefore run env -i python to drop the sandbox hooks before the subprocess starts, giving the Python process unrestricted access to the host for file and network operations. This results in a remote code execution vulnerability that allows an attacker to execute arbitrary code and access network resources from within the MaxKB instance. The flaw is manifested as a misuse of a trusted component (CWE\u2011693) and an OS command\u2011introduction vector (CWE\u201178).", "risk_and_exploitability": "The CVSS v3 score of 6.3 indicates a moderate-to-high severity. Exploitation requires the attacker to already have a privileged account that can invoke the Tool Debug API, so the risk is confined to compromised MaxKB instances. EPSS data is unavailable, but the vulnerability is not currently listed in CISA\u2019s KEV catalog. The likely attack vector is local, through authenticated tool execution; post\u2011exploitation the attacker can launch arbitrary code or network connections from the host. Accordingly, organizations should treat this as a risk that can be mitigated by patching or by restricting the ability to execute env within the sandbox."}}}}, "created": "2026-04-14T16:16:17.295996+00:00", "updated": "2026-04-14T16:31:13.621393+00:00", "vendors": ["1panel", "1panel$PRODUCT$maxkb"]}