CVE-2026-42337
Description
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications’ policies. This vulnerability is fixed in 2.8.1.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-42337? +
How do I check if I'm vulnerable to CVE-2026-42337? +
Related Vulnerabilities
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` …
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with …
The <redacted>.exe or <redacted>.exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectively as any …
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does …
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person …
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role …