CVE-2026-45412

Published: Mag 26, 2026 Last Modified: Mag 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in 2.9.1.

918

Server-Side Request Forgery (SSRF)

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control

Potential Impacts:

Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism

Applicable Platforms

Technologies: Web Based, AI/ML, Web Server

View CWE Details

https://github.com/1Panel-dev/MaxKB/security/advisories/GHS…

https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-x9g5-j56j-4mfj

CVE-2026-45412

Description

Server-Side Request Forgery (SSRF)

Common Consequences

Applicable Platforms

Iscriviti alla newsletter