CVE-2026-44847 in MaxKBИнформация

Сводка

по MITRE • 27.05.2026

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Ответственный

GitHub M

Резервировать

07.05.2026

Раскрытие

27.05.2026

Модерация

принято

Вход

VDB-365821

CPE

готов

CWE

CWE-287 (Подтверждённый)

CVSS

7.5 (CNA)

EPSS

0.00094

KEV

Нет

Деятельности

Очень низкий

Источники

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-44847
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-44847
CVE Details	https://www.cvedetails.com/cve/CVE-2026-44847/

◂ Предыдущий Обзор Далее ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!