MaxKB

v2.10.0-lts Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent agentic-ai llm deepseek-r1 knowledgebase langchain

+6 more

llama3 maxkb mcp-server ollama pgvector qwen3

Affected surfaces

rce_ssrf auth

ReleasePort's take

Moderate signal

editorial:auto 9d

The release patches a post‑authentication remote code execution flaw in the MaxKB security layer caused by an MCP permission bypass. Multiple bug fixes address workflow, UI rendering, file handling, log export, and admin dashboard issues.

Why it matters: Critical RCE fix (severity 95) in MaxKB requires immediate patching; all listed bugs affect core functionality such as document uploads, UI layouts, chart rendering, file persistence, log accuracy, import workflows, password resets, audit logging, and admin statistics.

Summary

AI summary

Updates Feature Optimizations, Bug Fixes, and New Features across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes post-authentication RCE vulnerability caused by MCP permission bypass in MaxKB. Fixes post-authentication RCE vulnerability caused by MCP permission bypass in MaxKB. Source: llm_adapter@2026-06-04 Confidence: high	—
Feature
Feature	Low	Adds workspace homepage statistics for administrators to overview resources, monitoring trends and usage rankings. Adds workspace homepage statistics for administrators to overview resources, monitoring trends and usage rankings. Source: llm_adapter@2026-06-04 Confidence: high	—
Feature	Low	Adds customizable terminology library in Knowledge Base; custom terms prioritize segmentation and retrieval (#5031). Adds customizable terminology library in Knowledge Base; custom terms prioritize segmentation and retrieval (#5031). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Enables full multimodal input support for AI Conversation nodes (#5276). Enables full multimodal input support for AI Conversation nodes (#5276). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Displays user input parameters inline within input boxes for configuration in Agent. Displays user input parameters inline within input boxes for configuration in Agent. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Provides visibility condition configuration for user input and form collection node parameters to link fields. Provides visibility condition configuration for user input and form collection node parameters to link fields. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Supports custom language packs; locale files placed under /opt/maxkb/local/locales become selectable after restart (#5120). Supports custom language packs; locale files placed under /opt/maxkb/local/locales become selectable after restart (#5120). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Hides user input parameters when starting a new conversation on the Q&A Page (#5298). Hides user input parameters when starting a new conversation on the Q&A Page (#5298). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Shows name of currently running node alongside AI responses on Q&A page (#5092). Shows name of currently running node alongside AI responses on Q&A page (#5092). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Adds visibility toggle for parameters inside form collection nodes in Agent. Adds visibility toggle for parameters inside form collection nodes in Agent. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Introduces output parameter "Result List for Direct Reply" for multi-recall nodes in Agent. Introduces output parameter "Result List for Direct Reply" for multi-recall nodes in Agent. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Freezes operation buttons at top‑right during document segmentation preview in Knowledge Base (#965). Freezes operation buttons at top‑right during document segmentation preview in Knowledge Base (#965). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Renders segmented content in Markdown format on segmentation preview in Knowledge Base. Renders segmented content in Markdown format on segmentation preview in Knowledge Base. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Adds text‑to‑image, text‑to‑video and image‑to‑video model support for MiniMax provider. Adds text‑to‑image, text‑to‑video and image‑to‑video model support for MiniMax provider. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Adds multimodal embedding model support for Alibaba Cloud Bailian (#5142). Adds multimodal embedding model support for Alibaba Cloud Bailian (#5142). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Supports Wan2.7 image‑to‑video model in Alibaba Cloud Bailian (#5232). Supports Wan2.7 image‑to‑video model in Alibaba Cloud Bailian (#5232). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Enables parameter configuration for reranking models of all providers. Enables parameter configuration for reranking models of all providers. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Feature	Low	Splits agent creation permission and copy permission into independent bits in Role Management (X-Pack) (#5284). Splits agent creation permission and copy permission into independent bits in Role Management (X-Pack) (#5284). Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixes failure to upload documents in workflow knowledge base without corresponding workflow authorization (#5296). Fixes failure to upload documents in workflow knowledge base without corresponding workflow authorization (#5296). Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes abnormal display for embedded mobile layout, floating window layout and shared page style (#6130). Fixes abnormal display for embedded mobile layout, floating window layout and shared page style (#6130). Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes all ECharts charts getting overwritten by the first chart after page refresh when multiple charts are generated in one conversation. Fixes all ECharts charts getting overwritten by the first chart after page refresh when multiple charts are generated in one conversation. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes uploaded files disappearing after page refresh once conversation ends in advanced agent (#5253). Fixes uploaded files disappearing after page refresh once conversation ends in advanced agent (#5253). Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes exported conversation logs showing only username instead of full name, hindering user matching. Fixes exported conversation logs showing only username instead of full name, hindering user matching. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes empty result after importing to create shared knowledge base (#5274). Fixes empty result after importing to create shared knowledge base (#5274). Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes validation error when admin resets user passwords (#5301). Fixes validation error when admin resets user passwords (#5301). Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Fixes missing operation logs upon third‑party user login (X-Pack). Fixes missing operation logs upon third‑party user login (X-Pack). Source: llm_adapter@2026-06-04 Confidence: high	—

Full changelog

New Features

Homepage: Added workspace homepage statistics, enabling administrators to overview all workspace resources, operation monitoring trends and resource usage rankings.
Knowledge Base: Added customizable terminology library; custom terms are prioritized during document word segmentation and retrieval (#5031).
Agent: Full multimodal input support for AI Conversation nodes (#5276).
Agent: User input parameters can be displayed inline directly within input boxes for configuration.
Agent: Visibility condition configuration available for parameters of user input and form collection nodes to realize linkage between fields.
System: Support for custom language packs; custom locale files can be placed under /opt/maxkb/local/locales inside MaxKB container, and custom languages become selectable after service restart (#5120).

Feature Optimizations

Q&A Page: Hide user input parameters when starting a new conversation (#5298).
Agent: Display the name of currently running node alongside AI responses on Q&A page (#5092).
Agent: Added visibility toggle for parameters inside form collection nodes.
Agent: Added output parameter Result List for Direct Reply for multi-recall nodes.
Knowledge Base: Freeze operation buttons at top-right corner during document segmentation preview (#965).
Knowledge Base: Render segmented content in Markdown format on segmentation preview.
Models: MiniMax provider newly supports text-to-image, text-to-video and image-to-video models.
Models: Alibaba Cloud Bailian added multimodal embedding model support (#5142).
Models: Alibaba Cloud Bailian supports Wan2.7 image-to-video model (#5232).
Models: Parameter configuration is available for reranking models of all providers.
Role Management (X-Pack): Split agent creation permission and copy permission into independent permission bits (#5284).

Bug Fixes

Security Vulnerability: Fixed post-authentication RCE vulnerability caused by MCP permission bypass in MaxKB.
Knowledge Base: Fixed failure to upload documents in workflow knowledge base without corresponding workflow authorization (#5296).
Agent: Fixed abnormal display for embedded mobile layout, floating window layout and shared page style (#6130).
Agent: Fixed issue where all ECharts charts get overwritten by the first chart after page refresh when multiple charts are generated in one conversation.
Agent: Fixed uploaded files disappearing after page refresh once conversation ends in advanced agent (#5253).
Agent: Fixed exported conversation logs only showing username instead of full name, hindering user matching.
Shared Knowledge Base (X-Pack): Fixed empty result after importing to create shared knowledge base (#5274).
User Management: Fixed validation error when admin resets user passwords (#5301).
System Login (X-Pack): Fixed missing operation logs upon third-party user login.

Security Fixes

Fixed post-authentication RCE vulnerability caused by MCP permission bypass in MaxKB.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track MaxKB

Get notified when new releases ship.

About MaxKB

All releases →