Auth bypass in 1panel-dev Maxkb

CVE-2026-42337

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL…

Vulnerability class: Broken Access Control

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.