PT-2026-43398 · Maxkb · Maxkb

Forimoc

+1

·

Published

2026-05-26

·

Updated

2026-05-27

·

CVE-2026-42337

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.1
Description Broken access control exists in the OSS file service URL fetch API endpoint "chat/api/oss/get url". The system uses the application id variable from the URL path without validating ownership, which allows attackers to perform operations under the policies of other applications.
Recommendations Update to version 2.8.1.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42337
GHSA-2JMJ-GWVG-3GP2

Affected Products

Maxkb