CVE-2026-39417 Overview
CVE-2026-39417 is a Remote Code Execution (RCE) vulnerability in MaxKB, an open-source AI assistant for enterprise. This vulnerability exists due to an incomplete fix for CVE-2025-53928, where the MCP node of the workflow engine remains exploitable. Versions 2.7.1 and below are affected, allowing attackers to achieve arbitrary command execution by bypassing the security patch through crafted JSON payloads.
Critical Impact
Authenticated attackers can achieve Remote Code Execution on the MaxKB server by injecting malicious MCP node configurations with stdio transport, arbitrary commands, and arguments when workflows are triggered via chat.
Affected Products
- MaxKB versions 2.7.1 and below
- MaxKB workflow engine MCP node component
- MaxKB instances with workflow creation API access enabled
Discovery Timeline
- 2026-04-14 - CVE-2026-39417 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-39417
Vulnerability Analysis
This vulnerability represents an incomplete security fix for the previously identified CVE-2025-53928. The original patch addressed the code path responsible for loading MCP configurations from the database (the referencing code path). However, the else branch that handles loading mcp_servers directly from user-supplied JSON was left completely unpatched.
The flaw is classified under CWE-20 (Improper Input Validation). The mcp_source field is defined as optional (required=False), which creates the bypass opportunity. An attacker can simply omit this field or set it to any non-referencing value to circumvent the existing security controls entirely.
Root Cause
The root cause stems from inconsistent input validation across multiple code branches handling MCP configuration loading. While the developers secured the database referencing path after CVE-2025-53928, they failed to apply the same restrictions to the direct JSON input path. This oversight allows attackers to inject complete MCP node configurations directly through the workflow creation API without any validation.
Attack Vector
The attack is network-based and requires low-privilege authentication with user interaction to trigger the malicious workflow. An attacker exploits this vulnerability by:
- Calling the workflow creation API directly with a crafted JSON payload
- Omitting or setting mcp_source to a non-referencing value to bypass the fix
- Injecting a complete MCP node configuration containing stdio transport with arbitrary command and arguments
- Triggering the workflow via chat to execute the injected commands
The vulnerability enables Remote Code Execution when the malicious workflow is triggered, allowing attackers to execute arbitrary system commands on the MaxKB server. For detailed technical analysis of the vulnerable code path, refer to the GitHub Security Advisory GHSA-pw52-326g-r5xj.
Detection Methods for CVE-2026-39417
Indicators of Compromise
- Unexpected workflow creations containing MCP node configurations with stdio transport types
- API calls to workflow creation endpoints with JSON payloads containing mcp_servers configurations that omit the mcp_source field
- Unusual command execution patterns originating from MaxKB worker processes
- Workflow executions spawning child processes with unexpected command-line arguments
Detection Strategies
- Monitor workflow creation API endpoints for suspicious JSON payloads containing direct mcp_servers configurations
- Implement logging for all MCP node configurations created without proper mcp_source referencing
- Audit workflow definitions for embedded command execution parameters in MCP nodes
- Deploy application-layer firewalls to inspect and filter malformed workflow creation requests
Monitoring Recommendations
- Enable verbose logging on MaxKB workflow engine components to capture MCP node configuration details
- Monitor process execution chains for MaxKB worker processes spawning unexpected subprocesses
- Set up alerts for workflow creations by users with elevated API access privileges
- Review authentication logs for unusual patterns of workflow creation API calls
How to Mitigate CVE-2026-39417
Immediate Actions Required
- Upgrade MaxKB to version 2.8.0 or later immediately
- Audit existing workflows for any suspicious MCP node configurations with stdio transport
- Restrict API access to workflow creation endpoints until the patch is applied
- Review recent workflow creation logs for potential exploitation attempts
Patch Information
The vulnerability has been fixed in MaxKB version 2.8.0. The patch is available through the GitHub Release v2.8.0. The fix addresses the incomplete validation in the else branch that handles direct JSON input for MCP configurations. The specific commit addressing this vulnerability can be reviewed at the GitHub Commit 50e96002.
Workarounds
- Implement network-level access controls to restrict workflow creation API access to trusted IP addresses only
- Deploy a web application firewall (WAF) rule to block requests containing suspicious MCP node configurations
- Disable the MCP node functionality in workflows if not required for business operations
- Enable strict input validation at the API gateway level to reject workflow payloads with direct mcp_servers configurations
# Configuration example
# Restrict workflow API access via reverse proxy (nginx example)
location /api/workflow/ {
# Allow only trusted internal networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Proxy to MaxKB backend
proxy_pass http://maxkb-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
