CVE-2026-56779

MEDIUM NVD

CVSS Score 6.4

Severity MEDIUM

Published Jun 25, 2026

Vendor unknown

Description

MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.

References

https://github.com/1Panel-dev/MaxKB/commit/6c156afc656afa62ea4280e504a06ac1c9696b36
https://github.com/1Panel-dev/MaxKB/issues/6272
https://www.vulncheck.com/advisories/maxkb-server-side-request-forgery-via-downloadcallbackurl-and-download-url-parameters