Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48950

CVE-2025-48950: Maxkb AI Assistant RCE Vulnerability

CVE-2025-48950 is a remote code execution flaw in Maxkb AI assistant that allows attackers to bypass sandbox restrictions and execute code. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-48950 Overview

CVE-2025-48950 affects MaxKB, an open-source AI assistant for enterprise use maintained by 1Panel. The vulnerability stems from incorrect default permissions [CWE-276] in the MaxKB sandbox environment. The sandbox restricts execution permissions only on binary files located in common directories such as /bin and /usr/bin. Attackers can invoke executable files residing in non-blacklisted directories to bypass the sandbox restrictions. Versions prior to 1.10.8-lts are affected, and the maintainers released 1.10.8-lts to remediate the issue.

Critical Impact

Authenticated attackers can escape the MaxKB sandbox by executing binaries outside blacklisted directories, potentially compromising confidentiality, integrity, and availability of the underlying system.

Affected Products

  • MaxKB (maxkb:maxkb) versions prior to 1.10.8-lts
  • 1Panel-dev MaxKB LTS distributions running the vulnerable sandbox configuration
  • Docker-based MaxKB deployments using the pre-patch installer Dockerfile

Discovery Timeline

  • 2025-06-03 - CVE-2025-48950 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-48950

Vulnerability Analysis

MaxKB executes user-provided code inside a sandbox that relies on filesystem permissions to constrain what binaries the sandbox user can invoke. The hardening step only removed the group execute bit from binaries in a limited set of directories, including /usr/local/bin, /usr/bin, /bin, /usr/sbin, /sbin, and /usr/lib/postgresql/15/bin. Any executable outside those paths retained its default permissions and remained callable from the sandboxed context.

The issue is classified as CWE-276 (Incorrect Default Permissions). The sandbox enforced a deny-by-directory model rather than a deny-by-default model, so binaries in unexpected locations were reachable. An authenticated user with the ability to submit sandbox jobs can leverage those binaries to run arbitrary commands and interact with resources beyond the sandbox scope.

Root Cause

The root cause is an incomplete permission-hardening step in the installer Dockerfile. The chmod g-x sweep enumerated a fixed list of directories rather than applying a global restriction, leaving other executable files world- or group-executable. Additionally, /etc was made unreadable but still traversable, providing reconnaissance opportunities.

Attack Vector

The attack vector is network-based and requires low privileges. An authenticated attacker submits sandbox input that references or invokes an executable located outside the hardened directories. Because the sandbox never removed execute permissions from those binaries, the attacker achieves execution under the sandbox user and can pivot against system components. The vulnerability changes scope, affecting confidentiality, integrity, and availability of resources outside the sandbox boundary.

text
     chown -R sandbox:root /opt/maxkb/app/sandbox && \
     chmod g-x /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/15/bin/* && \
     chmod g+x /usr/local/bin/python* && \
-    chmod g-r /etc
+    chmod g-rx /etc
 
 EXPOSE 8080

Source: GitHub Commit 187e9c1. The patch tightens /etc from g-r to g-rx, removing group traversal in addition to read, closing an information-disclosure and lookup path used during sandbox escape attempts.

Detection Methods for CVE-2025-48950

Indicators of Compromise

  • Sandbox process (sandbox user) spawning binaries from paths outside /usr/local/bin, /usr/bin, /bin, /usr/sbin, or /sbin.
  • Unexpected outbound network connections originating from the MaxKB container or host process tree.
  • Access attempts on /etc entries from the sandbox user context inside the MaxKB container.

Detection Strategies

  • Monitor container process execution and alert when the sandbox UID invokes binaries outside the expected Python interpreter path.
  • Compare running MaxKB container image digests against the v1.10.8-lts release to identify unpatched deployments.
  • Review MaxKB application logs for sandbox job payloads that reference absolute paths to non-standard executables.

Monitoring Recommendations

  • Enable Linux audit rules on the MaxKB host to log execve events for the sandbox user and forward them to a centralized log platform.
  • Track filesystem permission changes on the container image build pipeline to detect regressions in the Dockerfile hardening step.
  • Baseline expected sandbox behavior and alert on deviations such as new child processes, shell invocations, or file writes outside /opt/maxkb/app/sandbox.

How to Mitigate CVE-2025-48950

Immediate Actions Required

  • Upgrade MaxKB to version 1.10.8-lts or later, which contains the corrected permission model.
  • Rebuild and redeploy all MaxKB container images using the patched installer Dockerfile from the fixed release.
  • Restrict network access to MaxKB administrative and sandbox endpoints to trusted users only.

Patch Information

The fix is delivered in MaxKB v1.10.8-lts via Pull Request #3127 and commit 187e9c1e. See the GitHub Security Advisory GHSA-p2qq-x9j2-px8v for the full vendor advisory.

Workarounds

  • Manually apply the Dockerfile changes to remove group-execute permissions on additional binary directories present in the image.
  • Run the MaxKB container with a read-only root filesystem and drop unnecessary Linux capabilities to constrain sandbox escape impact.
  • Enforce mandatory access controls such as AppArmor or SELinux profiles that limit which binaries the sandbox user can execute.
bash
# Configuration example: harden a running MaxKB container until upgrade is possible
docker exec -u root <maxkb_container> \
  find / -type f -perm -o=x -not -path '/proc/*' -not -path '/opt/maxkb/app/sandbox/*' \
  -exec chmod o-x {} \;
docker exec -u root <maxkb_container> chmod g-rx /etc

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.