Home » Database

AVID-2026-R1577

Description

MaxKB RCE vulnerability in function library (CVE-2024-56137)

Details

MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged‌ users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0.

Reason for inclusion in AVID: CVE-2024-56137 describes a remote code execution vulnerability in MaxKB’s function library. MaxKB is an AI-related system (LLM/RAG-based knowledge base) used within AI pipelines, comprising software components that can be part of the AI stack. The issue is a software vulnerability (RCE) in a component relevant to building/deploying AI systems, thus a software supply-chain risk for general-purpose AI workflows. The report provides explicit vulnerability behavior and a fix in v1.9.0, with references to the CVE/NVD and advisories, indicating sufficient evidence.

References

Affected or Relevant Artifacts

  • Developer: 1Panel-dev
  • Deployer: 1Panel-dev
  • Artifact Details:
TypeName
SystemMaxKB

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Base Score6.8
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges Required🔴 High
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-78CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-01-02
  • Version: 0.3.3
  • AVID Entry