CVE-2026-56779
- Source
- https://cve.org/CVERecord?id=CVE-2026-56779
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-56779.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-56779
- Published
- 2026-06-25T18:11:12.206Z
- Modified
- 2026-06-26T04:11:18.587680573Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N CVSS Calculator
- Summary
- MaxKB < 2.10.0 - Server-Side Request Forgery via downloadCallbackUrl and download_url Parameters
- Details
-
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56779.json", "cwe_ids": [ "CWE-918" ], "cna_assigner": "VulnCheck" }- References
-
- https://github.com/1Panel-dev/MaxKB
- https://github.com/1Panel-dev/MaxKB/commit/6c156afc656afa62ea4280e504a06ac1c9696b36
- https://github.com/1Panel-dev/MaxKB/issues/6272
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56779.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-56779
- https://www.vulncheck.com/advisories/maxkb-server-side-request-forgery-via-downloadcallbackurl-and-download-url-parameters
Affected packages
Git / github.com/1panel-dev/maxkb
Affected versions
v0.*
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.10.0-lts
v1.10.1-lts
v1.10.2-lts
v1.10.3-lts
v1.10.4-lts
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.7.0
v1.9.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.7.0
v2.8.0
v2.8.1
v2.9.0
v2.9.1
v2.9.2