CVE-2026-45412: MaxKB AI Assistant SSRF Vulnerability

CVE-2026-45412 Overview

CVE-2026-45412 is a Server-Side Request Forgery (SSRF) vulnerability in MaxKB, an open-source AI assistant for enterprise use. The flaw exists in the work_flow_template import functionality. Authenticated users can supply arbitrary URLs in the work_flow_template.downloadUrl parameter, which the server fetches without URL validation or internal IP filtering. This allows attackers to direct the server to make HTTP requests to internal infrastructure, cloud metadata endpoints, or other restricted resources. The vulnerability is tracked under [CWE-918] and is fixed in MaxKB version 2.9.1.

Critical Impact

Authenticated attackers can pivot through the MaxKB server to access internal services, scan internal networks, or retrieve sensitive metadata from cloud environments.

Affected Products

• MaxKB versions prior to 2.9.1
• 1Panel-dev MaxKB open-source AI assistant
• Self-hosted MaxKB enterprise deployments

Discovery Timeline

• 2026-05-26 - CVE-2026-45412 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45412

Vulnerability Analysis

The vulnerability resides in the workflow template import feature of MaxKB. When an authenticated user triggers a template import, the application reads the downloadUrl field from work_flow_template and issues a server-side HTTP request to retrieve the referenced resource. The application performs no validation on the URL scheme, hostname, or destination IP address.

An attacker with valid credentials can submit a downloadUrl pointing to private network ranges such as 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, or 169.254.169.254. The server then issues the request from its own network context, bypassing perimeter controls. Cloud-hosted MaxKB instances are particularly exposed because the 169.254.169.254 instance metadata endpoint can return IAM credentials on AWS, Azure, and GCP.

The CWE-918 classification confirms the absence of an allowlist or denylist on outbound destinations. The privileges required are low because any authenticated MaxKB user can invoke the import workflow.

Root Cause

The root cause is missing input validation on the downloadUrl parameter. The application accepts any user-supplied URL and passes it directly to the HTTP client used by the template import handler. There is no scheme allowlist, no DNS resolution check, and no filter for RFC 1918 or link-local addresses.

Attack Vector

The attack vector is network-based and requires authentication. An attacker logs into MaxKB, crafts a workflow template import request containing a malicious downloadUrl, and submits it through the application API. The MaxKB backend fetches the supplied URL, and the response or its side effects are observable to the attacker depending on the import handler behavior.

The vulnerability mechanism is described in the GitHub Security Advisory GHSA-x9g5-j56j-4mfj. No public proof-of-concept code has been released.

Detection Methods for CVE-2026-45412

Indicators of Compromise

• Outbound HTTP requests from the MaxKB server process to RFC 1918 addresses or 169.254.169.254
• Unexpected workflow template import API calls containing external or internal URLs in the downloadUrl field
• Application logs showing template imports from non-standard or attacker-controlled domains
• MaxKB process initiating connections to internal services it does not normally communicate with

Detection Strategies

• Monitor MaxKB application logs for work_flow_template import events and extract the downloadUrl value for review
• Inspect egress network telemetry from MaxKB hosts for connections targeting private IP ranges or cloud metadata endpoints
• Alert on HTTP responses returned to the MaxKB process that contain credential-like patterns or IAM tokens

Monitoring Recommendations

• Enable verbose audit logging for all template import operations and forward logs to a centralized SIEM
• Baseline normal outbound destinations for the MaxKB server and alert on deviations
• Track authenticated user activity for anomalous patterns such as repeated import attempts with varying URLs

How to Mitigate CVE-2026-45412

Immediate Actions Required

• Upgrade MaxKB to version 2.9.1 or later, which contains the official fix
• Audit existing workflow template records for suspicious downloadUrl values pointing to internal hosts
• Rotate any cloud instance credentials accessible from the MaxKB host if compromise is suspected
• Restrict MaxKB user accounts to trusted personnel until patching is complete

Patch Information

The vulnerability is fixed in MaxKB 2.9.1. Refer to the GitHub Security Advisory GHSA-x9g5-j56j-4mfj for full details on the fix. Administrators should upgrade through the standard 1Panel-dev MaxKB release channel.

Workarounds

• Place MaxKB behind an egress proxy that blocks requests to RFC 1918 ranges and 169.254.169.254
• Apply network segmentation so the MaxKB host cannot reach cloud metadata services or sensitive internal endpoints
• Disable or restrict access to the workflow template import feature until the patch is applied
• Enforce strict role-based access control to limit which authenticated users can trigger template imports

# Configuration example: block cloud metadata endpoint via iptables
iptables -A OUTPUT -m owner --uid-owner maxkb -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner maxkb -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner maxkb -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner maxkb -d 192.168.0.0/16 -j REJECT