CVE-2026-54149

1Panel-dev · MaxKB

MaxKB contains an OS command injection vulnerability allowing authenticated attackers to execute arbitrary system commands.

Executive summary

A critical OS command injection vulnerability in 1Panel-dev MaxKB allows authenticated attackers to achieve remote code execution.

Vulnerability

This vulnerability (CWE-78) involves the improper neutralization of special elements used in an OS command. An attacker with low-level authenticated access can manipulate input parameters to execute arbitrary commands on the underlying host operating system.

Business impact

Successful exploitation of this vulnerability results in full system compromise, as the attacker can execute commands with the privileges of the application process. Given the CVSS score of 8.8, this poses a significant risk to data confidentiality, integrity, and availability, potentially allowing unauthorized access to sensitive enterprise AI data and backend infrastructure.

Remediation

Immediate Action: Upgrade MaxKB to version 2.10.0-lts or later immediately to apply the necessary input sanitization patches.

Proactive Monitoring: Review system and application logs for unusual process execution patterns or unexpected shell commands originating from the MaxKB service account.

Compensating Controls: Implement strict network segmentation and egress filtering to limit the impact if the application is compromised, and ensure the service runs with the least privilege necessary.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this command injection vulnerability necessitates urgent attention. Security teams should prioritize the update to version 2.10.0-lts to eliminate the attack vector, as this flaw provides an authenticated attacker with total control over the server environment.