CVE-2026-54149 in MaxKBinfo

Summary

by MITRE • 07/10/2026

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not consistently validate MCP transport type, allowing an authenticated user to import a .tool file containing stdio transport with malicious commands and trigger the configuration through an AI Chat node so MultiServerMCPClient executes arbitrary system commands. This issue is fixed in version 2.10.0-lts.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability exists within MaxKB version prior to 2.10.0-lts where the import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py fail to properly validate MCP transport types. This represents a critical security flaw that allows authenticated users to exploit command execution capabilities through malicious tool file imports. The vulnerability specifically targets the lack of validation for stdio transport types which enables attackers to craft malicious .tool files containing arbitrary commands that can be executed when processed by the AI chat node.

The technical implementation flaw stems from insufficient input sanitization and validation within the tool import pipeline. When an authenticated user uploads a malicious .tool file containing stdio transport specifications, the system does not properly verify the transport type before processing. This oversight allows the MultiServerMCPClient component to execute arbitrary system commands as part of its normal operation flow. The vulnerability operates at the intersection of configuration management and command execution, where user-supplied data flows directly into system-level operations without proper validation layers.

This issue creates a severe operational impact that extends beyond typical privilege escalation scenarios. An authenticated attacker can leverage this vulnerability to execute arbitrary commands on the server hosting MaxKB, potentially leading to full system compromise. The attack vector is particularly dangerous because it requires only authentication access and leverages legitimate system components to execute malicious payloads. The vulnerability affects the core functionality of enterprise AI assistant systems where command execution capabilities could be used for data exfiltration, lateral movement, or persistent access establishment.

The mitigation strategy involves upgrading to version 2.10.0-lts which implements proper MCP transport type validation. Organizations should also implement additional defensive measures including network segmentation, monitoring of tool import activities, and regular security assessments of third-party components. From a compliance perspective, this vulnerability maps to CWE-78 (Improper Neutralization of Special Elements used in OS Command) and aligns with ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) and T1021.004 (Remote Services: SSH). The fix addresses the root cause by implementing strict validation of transport types during tool import processes, ensuring that only approved transport mechanisms can be executed within the system's chat pipeline components.

Responsible

GitHub M

Reservation

06/11/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!