CVE-2026-39418
Published: 14 April 2026
Summary
CVE-2026-39418 is a medium-severity SSRF (CWE-918) vulnerability in Maxkb Maxkb. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the sandbox bypass vulnerability by requiring timely remediation through patching to MaxKB version 2.8.0 or later.
Enforces boundary protection to monitor and control network communications, blocking unauthorized access to internal services even if the application sandbox is bypassed.
Implements robust information flow enforcement policies to restrict connections to banned hosts, addressing the core failure in the sandbox's network protection mechanism.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an SSRF (CWE-918) in a public-facing application that directly enables bypassing sandbox network restrictions to access blocked internal services.
NVD Description
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly…
more
blocked by the sandbox's banned hosts configuration. MaxKB's sandbox uses LD_PRELOAD to hook the connect() function and block connections to banned IPs, but Linux's sendto() with the MSG_FASTOPEN flag can establish TCP connections directly through the kernel without ever calling connect(), completely bypassing the IP validation. Although sendto is listed in the syscall() wrapper, this is ineffective because glibc invokes the kernel syscall directly rather than routing through the hooked syscall() function. This issue has been fixed in version 2.8.0.
Deeper analysisAI
CVE-2026-39418 is a sandbox network protection bypass vulnerability in MaxKB, an open-source AI assistant for enterprise knowledge bases, affecting versions 2.7.1 and below. The sandbox employs LD_PRELOAD to hook the connect() function and enforce a banned hosts configuration by blocking connections to specified IPs. However, an attacker can circumvent this by invoking socket.sendto() with the MSG_FASTOPEN flag, which allows Linux to establish TCP connections directly via the kernel without invoking connect(), thus evading IP validation. Although sendto() is listed in the syscall() wrapper, the hook is ineffective because glibc calls the kernel syscall directly.
An authenticated user with tool-editing permissions can exploit this vulnerability remotely over the network with high attack complexity. Successful exploitation enables access to internal services explicitly blocked by the sandbox's configuration, potentially leading to low-impact confidentiality, integrity, and availability violations. The vulnerability is scored at CVSS 5.0 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-918 (Server-Side Request Forgery).
The issue was addressed in MaxKB version 2.8.0. Mitigation details are provided in the GitHub security advisory (GHSA-w9g4-q3gm-6q6w), release notes for v2.8.0, and the patching commit (4d06362750b15390437f1d2e4d14ec79baef8559). Security practitioners should upgrade to 2.8.0 or later and review tool-editing permissions in affected deployments.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai