CVE-2026-42337
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
26/05/2026
Last modified:
27/05/2026
Description
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM



