MaxKB Remote Code Execution Vulnerability via MCP Node Command Injection

A remote code execution vulnerability has been identified in MaxKB versions 2.7.1 and prior. This issue arises from an incomplete fix for a previous vulnerability, allowing for command injection through the MCP node of the workflow engine. The vulnerability exists because the application only restricts the loading of MCP configuration from the database, while the alternative method of loading MCP servers from user-supplied JSON remains unpatched. Attackers can exploit this by omitting the 'mcp_source' field or setting it to a non-referencing value, thereby injecting a crafted MCP node configuration that includes arbitrary commands and arguments. When the modified workflow is executed via chat, the injected commands are executed, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where MaxKB is running.

Reproduction

To reproduce this vulnerability, send a request to the workflow creation API with a JSON payload that includes a crafted MCP node configuration. Omit the 'mcp_source' field or set it to a non-referencing value to bypass the application's restrictions. Include the 'mcp_servers' field with the injected commands and arguments. Once the workflow is created, trigger it via the chat interface to execute the injected commands.

Remediation

Users can upgrade to MaxKB version 2.8.0 or later, where this vulnerability has been fixed.