CVE-2026-42335
MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
14th
MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch (chat/api/oss/get_url) endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse validation function and the requests HTTP client, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1.
| CWE | CWE-918 |
| Vendor | 1panel-dev |
| Product | maxkb |
| Published | May 26, 2026 |
| Last Updated | May 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for 1panel-dev maxkb
Be the first to know when new unknown vulnerabilities affecting 1panel-dev maxkb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
1Panel-dev / MaxKB
< 2.8.1