Cyber Resilience

CVE-2026-39421

Medium

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0010 27.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39421 is a medium-severity Code Injection (CWE-94) vulnerability in Maxkb Maxkb. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).

Deeper analysis

MaxKB, an open-source AI assistant for enterprise knowledge base management, contains a sandbox escape vulnerability in its ToolExecutor component affecting versions 2.7.1 and below. The issue allows attackers to leverage Python's ctypes library for executing raw system calls, bypassing the LD_PRELOAD-based sandbox.so module. This module intercepts critical functions such as execve, system, connect, and open, while also blocking mprotect to prevent PROT_EXEC memory allocations in sandboxed Python processes; however, pkey_mprotect is not intercepted, enabling the bypass and subsequent arbitrary code execution via direct kernel system calls.

An authenticated attacker with workspace privileges can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation grants arbitrary code execution, facilitating full network exfiltration and container compromise, as reflected in the CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and associated CWEs-94 (code injection) and CWE-693 (protection mechanism failure).

The vulnerability has been addressed in MaxKB version 2.8.0. Security practitioners should upgrade to this version for the fix, with detailed changes available in the GitHub commit 479701a4d2e6059506bad0057a66bed91abb5aef, release notes at github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0, and the official advisory at github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9c6w-j7w5-3gf7.

This flaw underscores sandboxing risks in AI/ML deployments, particularly for enterprise tools executing untrusted code in shared environments like containers.

EU & UK References

Vulnerability details

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the…

more

LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The vulnerability is a remote code injection flaw (CWE-94) in a public-facing application that enables sandbox bypass for arbitrary Python code execution via ctypes and direct syscalls.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39420Same product: Maxkb Maxkb
CVE-2026-39418Same product: Maxkb Maxkb
CVE-2025-53928Same product: Maxkb Maxkb
CVE-2024-56137Same product: Maxkb Maxkb
CVE-2026-33873Shared CWE-94
CVE-2026-33057Shared CWE-94
CVE-2026-4965Shared CWE-94
CVE-2026-33017Shared CWE-94
CVE-2025-53890Shared CWE-94
CVE-2026-34938Shared CWE-693

Affected Assets

maxkb
maxkb
≤ 2.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation, directly preventing exploitation of the sandbox escape vulnerability by patching to MaxKB version 2.8.0.

prevent

Mandates process isolation mechanisms that prevent authenticated attackers from bypassing LD_PRELOAD-based sandboxes via ctypes raw system calls.

prevent

Implements memory protections to restrict executable memory allocations, mitigating the pkey_mprotect bypass used in the sandbox escape.

References