CVE-2026-56779
MEDIUMMaxKB < 2.10.0 - Server-Side Request Forgery via downloadCallbackUrl and download_url Parameters
Title source: cnaDescription
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
References (3)
Core 3
Core References
Exploit technical-description
exploit
Researcher Disclosure
https://github.com/1Panel-dev/MaxKB/issues/6272
Patch patch
Patch Commit
https://github.com/1Panel-dev/MaxKB/commit/6c156afc656afa62ea4280e504a06ac1c9696b36
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/maxkb-server-side-request-forgery-via-downloadcallbackurl-and-download-url-parameters
Scores
CVSS v3
6.4
EPSS
0.0017
EPSS Percentile
6.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
1Panel-dev/MaxKB
< 2.10.0
Published
Jun 25, 2026
Tracked Since
Jun 26, 2026