CVE Catalog

CVE-2026-56779

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

MaxKB before version 2.10.0 contains a server-side request forgery (SSRF) vulnerability in tool creation and update endpoints. It allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters.

Risk Assessment

Attackers with the default USER role in the workspace can exploit this vulnerability to access internal network services, potentially leading to data leakage or further infrastructure compromise.

Recommendation

Immediately update MaxKB to version 2.10.0 or later, which includes a fix for the SSRF vulnerability. Additionally, consider restricting access to tool endpoints to trusted users only.

Original NVD description (English source)

MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS