Cyber Resilience

CVE-2026-39418

Medium

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0004 11.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39418 is a medium-severity SSRF (CWE-918) vulnerability in Maxkb Maxkb. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-39418 is a sandbox network protection bypass vulnerability in MaxKB, an open-source AI assistant for enterprise knowledge bases, affecting versions 2.7.1 and below. The sandbox employs LD_PRELOAD to hook the connect() function and enforce a banned hosts configuration by blocking connections to specified IPs. However, an attacker can circumvent this by invoking socket.sendto() with the MSG_FASTOPEN flag, which allows Linux to establish TCP connections directly via the kernel without invoking connect(), thus evading IP validation. Although sendto() is listed in the syscall() wrapper, the hook is ineffective because glibc calls the kernel syscall directly.

An authenticated user with tool-editing permissions can exploit this vulnerability remotely over the network with high attack complexity. Successful exploitation enables access to internal services explicitly blocked by the sandbox's configuration, potentially leading to low-impact confidentiality, integrity, and availability violations. The vulnerability is scored at CVSS 5.0 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-918 (Server-Side Request Forgery).

The issue was addressed in MaxKB version 2.8.0. Mitigation details are provided in the GitHub security advisory (GHSA-w9g4-q3gm-6q6w), release notes for v2.8.0, and the patching commit (4d06362750b15390437f1d2e4d14ec79baef8559). Security practitioners should upgrade to 2.8.0 or later and review tool-editing permissions in affected deployments.

EU & UK References

Vulnerability details

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly…

more

blocked by the sandbox's banned hosts configuration. MaxKB's sandbox uses LD_PRELOAD to hook the connect() function and block connections to banned IPs, but Linux's sendto() with the MSG_FASTOPEN flag can establish TCP connections directly through the kernel without ever calling connect(), completely bypassing the IP validation. Although sendto is listed in the syscall() wrapper, this is ineffective because glibc invokes the kernel syscall directly rather than routing through the hooked syscall() function. This issue has been fixed in version 2.8.0.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an SSRF (CWE-918) in a public-facing application that directly enables bypassing sandbox network restrictions to access blocked internal services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39420Same product: Maxkb Maxkb
CVE-2026-39421Same product: Maxkb Maxkb
CVE-2025-53928Same product: Maxkb Maxkb
CVE-2024-56137Same product: Maxkb Maxkb
CVE-2026-3789Shared CWE-918
CVE-2026-28677Shared CWE-918
CVE-2026-45400Shared CWE-918
CVE-2026-45331Shared CWE-918
CVE-2026-7223Shared CWE-918
CVE-2026-3788Shared CWE-918

Affected Assets

maxkb
maxkb
≤ 2.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the sandbox bypass vulnerability by requiring timely remediation through patching to MaxKB version 2.8.0 or later.

prevent

Enforces boundary protection to monitor and control network communications, blocking unauthorized access to internal services even if the application sandbox is bypassed.

prevent

Implements robust information flow enforcement policies to restrict connections to banned hosts, addressing the core failure in the sandbox's network protection mechanism.

References