CVE Catalog

CVE-2026-44847

High
Published: Translated: NVD NIST

Summary

MaxKB is an open-source AI assistant for enterprises. In versions prior to 2.9.0, the webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication, allowing unauthorized attackers to invoke tasks associated with a valid trigger ID.

Risk Assessment

Unauthorized attackers can exploit this vulnerability to execute tasks, potentially leading to unauthorized access to resources and financial losses for the organization.

Recommendation

It is recommended to upgrade to version 2.9.0 or later to secure the webhook endpoint against unauthorized access.

Original NVD description (English source)

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS