CVE-2026-56779
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
MaxKB before version 2.10.0 contains a server-side request forgery (SSRF) vulnerability in tool creation and update endpoints. It allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters.
Risk Assessment
Attackers with the default USER role in the workspace can exploit this vulnerability to access internal network services, potentially leading to data leakage or further infrastructure compromise.
Recommendation
Immediately update MaxKB to version 2.10.0 or later, which includes a fix for the SSRF vulnerability. Additionally, consider restricting access to tool endpoints to trusted users only.
Original NVD description (English source)
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.

