CVE-2026-39421
Published: 14 April 2026
Summary
CVE-2026-39421 is a medium-severity Code Injection (CWE-94) vulnerability in Maxkb Maxkb. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation, directly preventing exploitation of the sandbox escape vulnerability by patching to MaxKB version 2.8.0.
Mandates process isolation mechanisms that prevent authenticated attackers from bypassing LD_PRELOAD-based sandboxes via ctypes raw system calls.
Implements memory protections to restrict executable memory allocations, mitigating the pkey_mprotect bypass used in the sandbox escape.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code injection flaw (CWE-94) in a public-facing application that enables sandbox bypass for arbitrary Python code execution via ctypes and direct syscalls.
NVD Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the…
more
LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0.
Deeper analysisAI
MaxKB, an open-source AI assistant for enterprise knowledge base management, contains a sandbox escape vulnerability in its ToolExecutor component affecting versions 2.7.1 and below. The issue allows attackers to leverage Python's ctypes library for executing raw system calls, bypassing the LD_PRELOAD-based sandbox.so module. This module intercepts critical functions such as execve, system, connect, and open, while also blocking mprotect to prevent PROT_EXEC memory allocations in sandboxed Python processes; however, pkey_mprotect is not intercepted, enabling the bypass and subsequent arbitrary code execution via direct kernel system calls.
An authenticated attacker with workspace privileges can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation grants arbitrary code execution, facilitating full network exfiltration and container compromise, as reflected in the CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and associated CWEs-94 (code injection) and CWE-693 (protection mechanism failure).
The vulnerability has been addressed in MaxKB version 2.8.0. Security practitioners should upgrade to this version for the fix, with detailed changes available in the GitHub commit 479701a4d2e6059506bad0057a66bed91abb5aef, release notes at github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0, and the official advisory at github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9c6w-j7w5-3gf7.
This flaw underscores sandboxing risks in AI/ML deployments, particularly for enterprise tools executing untrusted code in shared environments like containers.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai