New Features

• Agent: Added long-term memory capability. It supports generating memory by conversation rounds and time periods. Memories can be injected into prompts via variable references to improve conversation personalization and continuity.
• Agent: Nodes in advanced agent workflows support enable/disable, allowing debugging and temporary logic shielding without deleting nodes.
• Agent: Added associated resource viewing capability to check dependent and depended-on resources (#4859, #4872).
• Knowledge Base: Added associated resource viewing capability with bidirectional dependency tracing.
• Tools: Added associated resource viewing capability with bidirectional dependency tracing.
• Tools: Nodes in workflow tools support enable/disable, allowing debugging and temporary logic shielding without deleting nodes.
• Model: Added access support for MiniMax large language models and text-to-speech models (#4876).
• Model: Alibaba Cloud Bailian added support for MiniMax Speech voice model access (#4950).

Feature Optimizations

• Agent: User input and form collection nodes newly support the tree selector component (#4903).
• Agent: The variable assignment node supports explicitly assigning a variable to null (#4964, #5107).
• Agent: Added regular expression and wildcard matching modes for judge nodes in advanced agents (#4975).
• Agent: Batch copy and paste is supported for nodes on the orchestration canvas of advanced agents and workflows.
• Agent: Nodes inside loops support batch copy and paste across different loop bodies (#5128).
• Agent: The Publish permission of advanced agents is separated independently from edit permission and can be authorized separately.
• Agent: Added format guidelines for variable parameters of built-in nodes.
• Model: The model selection box only displays provider icons and model names for a cleaner interface.
• Model: All model providers support custom API Base URL to adapt to private deployment scenarios.
• Model: Model parameter changes are automatically synchronized to all associated referenced resources (#5134).
• Tools: ZIP installation packages uploaded for Skills tools support downloading.
• System: Optimized browser stuttering caused by excessive file directories.
• System: Optimized front-end stuttering when adding a large number of members to a role.

Bug Fixes

• Agent: Fixed the issue where subsequent nodes had no output after nesting a sub-agent node in a loop body (#5197).
• Agent: Fixed the issue that conversation records were lost after refreshing the page during streaming replies in simple agents (#5156).
• Agent: Fixed invalid search by creator in the agent list (#5177).
• Agent: Fixed the problem that triggers could be created for unpublished agents (#5146).
• Agent: Fixed abnormal icon display of workflow tools inside skill tools.
• Agent: Fixed the issue where unbinding the associated knowledge base in knowledge base retrieval nodes did not take effect (#5173).
• Model: Fixed abnormal parameter configuration of Volcano Engine image generation models (#5089).
• Model: Fixed errors of Volcano Engine multimodal vector models and supported custom model parameters.
• Model: Fixed the incorrect display position of the model Base URL.
• Model: Fixed occasional NaN errors in reranking models.

Security Vulnerability Fixes

• Security Vulnerability: Fixed the security vulnerability of missing authentication for Webhook trigger endpoints, which allowed unauthenticated requests to bypass authorization and trigger arbitrary tasks.

Security Vulnerability Fixes

• Security: Fixed the permission bypass and SSRF security issues in the OSS file service URL acquisition interface. Improved application permission verification, DNS resolution verification, and URL resolution consistency to prevent unauthorized access and intranet request forgery.

Bug Fixes

• Models: Fixed an error when setting the end frame for text-to-video generation using the wan model from Alibaba Cloud Bailian provider (#5111).
• Models: Fixed the issue where the image count setting did not take effect in the parameter configuration of Volcano Engine image generation models (#5089).
• Knowledge Base: Fixed the issue where document order became disordered after adjusting document order following document segment migration (#5106).
• Knowledge Base: Fixed abnormal segmentation caused by the intelligent segmentation rule not excluding # comments inside code blocks.
• Agent: Fixed an error in model skill invocation during conversation when the thinking process was enabled in the AI Conversation node and an agent was configured in skills (#4988).
• API Documentation: Fixed the missing sync_type parameter in the Web knowledge base synchronization API documentation (#5081).

New Features

• Tools: Added workflow-type tools;
• Tools: Supported automatic Python code generation;
• Knowledge Base: Supported importing and exporting all metadata of the knowledge base;
• Agent: Supported selecting models and knowledge bases during conversation;
• Agent: Supported batch selection to move to other folders or perform batch deletion;
• Agent: Added thinking process toggle settings for "Image Understanding" and "Video Understanding" nodes in advanced agents;
• Knowledge Base: Supported batch selection to move to other folders or perform batch deletion;
• Tools: Supported batch selection to move to other folders or perform batch deletion;
• Models: Added support for reranking models from the Baidu Qianfan provider (#4927);
• System: Unified all username display fields in the system to show the user's full name;
• Agent: The "Variable Aggregation" node in advanced agents now supports aggregating into dict-type variables (#4904);
• Agent: Optimized the split expression component of the "Variable Splitting" node in advanced agents (#4961).

Bug Fixes

• Agent: Fixed an error in user questions when using vLLM models with system prompts and Skills/MCP tools in the AI Conversation node;
• Agent: Fixed the incompatibility issue between vLLM models and the reasoning field;
• Agent: Fixed incorrect retrieval results when using the document tag retrieval node (#4942);
• Agent: Fixed the issue where the collapsed state of loop nodes in advanced orchestration was not saved (#4996);
• Agent: Fixed an error in the Image Understanding node during multi-turn conversations when images are not sent midway and then sent again (#4999);
• Agent: Fixed blank rendering issues when using ECharts (#4966);
• Agent (X-Pack): Fixed the issue where images sent via WeChat Work could not be opened after downloading from MaxKB conversation logs;
• Agent (X-Pack): Fixed the issue where authentication was not performed during conversations after enabling identity authentication for sub-agents in advanced agents;
• Knowledge Base: Fixed inaccurate description of "Allow preview in knowledge sources" in the Web Site knowledge base;
• Models: Fixed the missing error messages when token limit is exceeded or balance is insufficient for Alibaba Cloud Bailian reranking models (#4928);
• Models (X-Pack): Fixed the permission error when regular users click on shared models;
• Roles (X-Pack): Fixed the issue where other permissions were automatically checked when customizing the "About" permission for regular users (#4954);
• Resource Management (X-Pack): Fixed the issue where user roles were not displayed when authorizing resources in resource management.

Security Vulnerability Fixes

• Security: Fixed SSRF vulnerability bypassing sandbox connect() hook via socket.sendto()+MSG_FASTOPEN to prevent access to internal restricted services (#CVE-2026-39418);
• Security: Fixed remote code execution vulnerability for sandbox escape via env -i LD_PRELOAD to clear environment variables (#CVE-2026-39420);
• Security: Fixed sandbox bypass vulnerability for result spoofing via sys.exit(0) to bypass sandbox result verification (#CVE-2026-39419);
• Security: Fixed critical remote code execution vulnerability for sandbox escape via ctypes and unhooked SYS_pkey_mprotect (#CVE-2026-39421);
• Security: Fixed remote code execution vulnerability for Shell command injection via malicious configuration due to missing MCP server configuration validation (#CVE-2026-39417);
• Security: Fixed general stored cross-site scripting (XSS) vulnerability and strengthened user input security validation in all scenarios (#CVE-2026-39422);
• Security: Fixed stored XSS vulnerability in iframe_render caused by unfiltered user input (#CVE-2026-39426);
• Security: Fixed stored XSS vulnerability in Markdown rendering html_rander due to unfiltered HTML tags (#CVE-2026-39425);
• Security: Fixed stored XSS vulnerability in echarts_rander component via Eval malicious code injection (#CVE-2026-39423);
• Security: Fixed CSV injection vulnerability caused by unescaped special characters when exporting application chat logs to CSV (variant of CVE-2025-4546) (#CVE-2026-39424).

Bug Fixes

• Models: Fixed the error when adding the image generation model of Douban (Doubao);
• Applications: Fixed the issue where the service restarted when exporting conversation logs due to a large volume of conversation log data;
• Applications: Fixed the issue where conversation records could not be exported when there was abnormal content in conversation logs;
• Applications: Fixed the issue where the judge node could not handle multiple conditions;
• Login: Fixed the login failure issue when the username contained Chinese characters (#4232);
• Internationalization: Fixed the incorrect description when adding the vision model of Xorbits Inference under Traditional Chinese/Simplified Chinese language settings.

Bug Fixes

• Models: Fixed the error that occurred when using Embedding models from the Ollama provider;
• Installation & Deployment: Fixed the upgrade error caused by incompatible dependency package versions on some older machines;
• Agent: Fixed the issue where the style of tool call data was not displayed in execution details.

New Features

• Tools: Added Skills management capability to tools（#4682）;
• Agent: Supported agents to call Skills autonomously（#4682）;
• Q&A Page: Supported sharing conversation records on the Q&A page;
• Knowledge Base: Supported directly adding/removing document tags from the tag dimension;
• Login Authentication (X-Pack): Supported configuring the allowed login methods for system users.

Feature Optimizations

• Agent: Added the function to search/locate nodes on the workflow orchestration page of advanced agents;
• Agent: Added support for searching models in the model selection drop-down box (#4769);
• Agent: When hovering the mouse over resources in the dialog boxes for selecting knowledge bases, tools, and agents, more information about the resources can be displayed (#4657);
• Agent: Added support for the "Not Equal To" option for conditions in the judge node of advanced agents (#4885);
• Knowledge Base: Added a "Tags" column to the document list (displayed), and supported adding tags to documents in this column (#4616);
• Q&A Page: Optimized the UI style of tool calls;
• Triggers: Added support for setting scheduled triggers via Cron expressions (#4820);
• Models: Added support for image generation models from the Gemini provider (#4492);
• Models: Added support for vision models from the Silicon Flow (Guiji Liudong) provider (#4789).

Bug Fixes

• Knowledge Base: Fixed the issue where documents were not exported in segmentation order when exporting (#4818);
• Agent (X-Pack): Fixed the issue where output content was not formatted with Markdown during conversations in the Lark client;
• Agent: Fixed the issue where the pop-up window was not fully displayed when users gave thumbs-up/down feedback after AI reply content, when embedded in third-party platforms with full-screen embedding selected;
• Agent: Fixed the issue where AI nodes were displayed as completed in execution details even though they were not fully executed (#4845);
• Agent: Fixed the issue where conversations could still be conducted when calling the same application using API Keys of different applications (#4854);
• Agent: Fixed the issue where the question optimization node did not take effect (#4874);
• Agent: Fixed the issue where the AI model and associated knowledge base in settings were cleared after moving files in simple agents (#4890);
• Q&A Page: Fixed the incorrect style display when form collection content existed during conversations;
• Q&A Page: Fixed the issue where conversation content was not internationalized when users gave thumbs-up/down feedback after AI reply content;
• Q&A Page (X-Pack): Fixed the issue where conversation users created by third parties could not modify their passwords after logging into the application via account login;
• Models: Fixed the error when adding image generation models from the Volcano Engine provider.

Bug Fixes

• Agent: Fixed the issue where tool execution failed under certain circumstances in the agent workflow; #4790
• Agent: Fixed the issue of incorrect acquisition of historical records in AI Conversation nodes when parallel nodes existed in the agent workflow; #4778
• Agent: Fixed the front-end error caused by excessively large data streams returned by the back-end when the AI responded to questions;
• Knowledge Base: Fixed the issue where segmentation markers (blank lines and carriage returns) did not take effect after selecting intelligent segmentation for document uploads; #4791.

New Features

• Agent: Added trigger activation capability;
• Agent (X-Pack): Supported setting validity period for Agent API Keys;
• Agent: Added IP Address and Source attributes to the conversation log list;
• Agent: Supported setting independent cleanup policies for uploaded files in conversation logs;
• Tools: Added trigger activation capability;
• Tools: Added the function to view execution records;
• Shared Tools (X-Pack): Added the function to view execution records;
• Triggers: Added trigger management function for the workspace administrator role;
• Knowledge Base: General Knowledge Base, Web Site Knowledge Base, and Lark Knowledge Base all support direct conversion to Workflow Knowledge Base;
• Knowledge Base: Added support for batch exporting documents in the document list;
• System Management (X-Pack): Supported setting validity period for system API Keys.

Feature Optimizations

• Agent: Adjusted the position of the Go to Conversation button to the Agent panel;
• Agent: Added a Current Moment setting for the default value of date-type parameters entered by users; after setting, the parameter dynamically obtains the current time on the Q&A page;
• Models: Added support for entering the API URL parameter for video models and speech recognition models of Alibaba Cloud BaiLian;
• Models: Vector models of the Volcano Engine provider support docking with multimodal vector models;
• Models: Speech recognition models of the Volcano Engine provider support the docking method of speech recognition for audio files;
• Models: Added support for setting the Response Type parameter (e.g., response_format=b64_json) in the model parameters of image generation models of the OpenAI provider; #4538
• System: Optimized internationalized copy and partial UI interfaces.

Bug Fixes

• Agent: Fixed the issue where the Referenced Segment Count and Segment Title + Content fields were missing when exporting conversation logs;
• Agent: Fixed the issue where the calling process was not displayed if a tool in skills had no input parameters when the AI model called the tool;
• Agent: Fixed the issue of disordered AI reply content when a sub-agent in a loop body also had a loop node (#4654);
• Agent: Fixed the issue where AI reply content did not automatically scroll to the bottom during Agent debugging (#4660);
• Login Authentication (X-Pack): Fixed the issue where the number of failed login attempts for displaying captcha could not be set to 0;
• Models: Fixed the issue where the slm speech recognition model of iFlytek Spark could not convert speech to text;
• Models: Fixed the error when editing the iat model of iFlytek Spark;
• Folders: Fixed the issue where users with only folder view permissions could still create subfolders (#4688).

New Features

• Agent: Upgraded the "Application" module to the "Agent" module;
• Agent: Added automatic agent calling function to simple agents, and merged tools, MCP, and agents into the "Skills" function;
• Agent: Added automatic agent calling function to AI Conversation nodes in advanced agents, and merged tools, MCP, and agents into the "Skills" function;
• Agent: Supported creating agents via templates in the Template Center;
• Agent: Added exception branch output to all AI capability nodes in advanced agents to enhance process fault tolerance;
• Agent: Supported displaying feedback information filled by users in conversation log details;
• Agent: The user input parameter component in the Basic Information node supports multi-line text boxes, single-line tab components, and single-line multi-select tab components;
• Agent: Input parameters in custom tool nodes support boolean type;
• Q&A Page: Supported users to fill in feedback information when submitting feedback;
• Knowledge Base: Supported canceling the document import process in workflow knowledge bases;
• Knowledge Base: Added workflow import/export function to workflow knowledge bases;
• Knowledge Base: Supported viewing associated resources;
• Tools: Supported viewing associated resources;
• Tools: Added JSON text box and slider components to the component types in parameter dialogs;
• Folders: Supported sorting by name, creation time, and custom drag-and-drop order;
• Models: Supported viewing associated resources;
• Login Authentication (X-Pack): Added default role assignment function for third-party users in login settings;
• Login Authentication (X-Pack): Added account lockout function after failed login attempts in login settings;
• User Management: Supported setting default resource permissions when creating users;
• User Management (X-Pack): Supported batch role assignment and batch user deletion.

Feature Optimizations

• Agent: Added conversation user group {{global.chat_user_group}} to the start node in advanced agents;
• Knowledge Base: Optimized the hit test interface to use POST requests;
• Folders: Supported authorizing folders by user roles;
• API Key: Optimized system API Keys to be isolated by user;
• Q&A Page: Removed the limit of only viewing 20 historical chat records;
• Q&A Page: Supported editing and re-submitting the last question;
• Q&A Page (X-Pack): Supported logout function for third-party conversation users after logging into the Q&A page;
• System: Optimized the system UI interface.

Bug Fixes

• Security Vulnerability: Fixed the XSS vulnerability caused by file uploads;
• Security Vulnerability: Fixed the issue where Python code in the tool module loaded dynamic link libraries to bypass security restrictions;
• Security Vulnerability: Fixed the potential RCE issue caused by deserializing untrusted objects via pickle in Celery;
• Tools: Fixed the false interception of emails sent via the SMTP protocol;
• Agent: Fixed the issue where the scroll bar of the tool drop-down box in MCP nodes could not scroll;
• Agent: Fixed the style issue where execution details of MCP call and tool nodes exceeded the screen;
• Agent: Fixed the issue where child agents could not receive video files from parent agents (#4568);
• Knowledge Base: Fixed the style issue where video components in segmentation details exceeded the segmentation detail area (#4542);
• Knowledge Base: Fixed the issue where all videos automatically played when opening the segmentation details page.

Bug Fixes

• Applications: Fixed the incorrect jump path of the Go to Conversation button on the workflow orchestration page when the system's secondary path has been modified;
• Applications: Fixed the issue where the reference variable selection could not be canceled for tool nodes in advanced orchestration applications;
• Applications: Fixed the issue where the workflow did not terminate when a node inside the loop body threw an error;
• Applications: Fixed the inconsistency between the node order in the add component dialog and the node order in the loop body;
• Applications (X-Pack): Fixed the redirection issue on the WeChat Work QR code login page for conversation users;
• Knowledge Base: Fixed the issue where the previous page state was not retained when returning to the document list page from the document segmentation details page;
• Knowledge Base: Fixed the parsing failure issue of global variables entered in the specified reply node of the workflow knowledge base;
• Knowledge Base: Removed the historical chat record function from the Image Understanding, Video Understanding, and AI Conversation nodes in the workflow knowledge base;
• Knowledge Base: Fixed the issue where newly created vector models were not displayed in the vector model list when creating them in the knowledge base creation interface;
• Resource List: Fixed the incorrect display of the resource list when moving resources to folders in the root directory of applications/knowledge bases/tools;
• Tools: Fixed the issue where data source tools lacked parameters set during debugging;
• Tools: Fixed the issue where IPv6-mapped IPv4 addresses were not intercepted;
• API Documentation: Fixed the incorrect parameter type of the document segmentation interface.

Bug Fixes

• Applications: Fixed the issue where the "Submit" button could not be clicked when the form collection node was executed;
• Applications: Fixed the issue of incorrect retrieval results when the tag value of the document tag retrieval node was None;
• Applications: Fixed the issue where Input parameters were incompletely output when the AI model called MCP;
• Knowledge Base: Fixed the execution error of image understanding in the knowledge base workflow;
• Knowledge Base: Fixed the issue where zip files containing images could not be written to the knowledge base when uploaded;
• Knowledge Base: Fixed the issue where custom input file formats in local files of data source nodes were case-sensitive;
• Tools: Fixed the issue of abnormal console errors in the tool editor under certain circumstances;
• Models: Fixed the cache_dir error that occurred when adding a local reranking model.

Security Vulnerability Fixes

• Fixed the permission bypass issue caused by system file overwriting (CVE-2025-66446);
• Fixed the permission bypass issue caused under specific concurrent conditions (CVE-2025-66419).

Special thanks to GitHub users @yck99, @NikoCat233, and @Threonine for discovering and promptly reporting the above vulnerabilities to the MaxKB open-source community!

New Features

• Knowledge Base: Added workflow knowledge base;
• Tools: Added data source tools;
• Tools: Tools in the Tool Store support two types: "Tool" and "Data Source";
• Models: AWS provider added support for vision models and reranking models;
• Models: Vision models of OpenAI, Ollama, vLLM, Xinference, and Zhipu AI providers support video understanding functionality;
• Models: Added support for large language models, vector models, and reranking models from the Docker AI provider;
• Applications: Added "URL Address" as an upload method in the file upload settings;
• Applications: Added ranking statistics for "User Consumed Tokens" and "User Question Count" to the monitoring statistics on the overview page;
• Resource Authorization: Supported filtering users by role when authorizing applications, knowledge bases, tools, and models to users by resource;
• Login Authentication (X-Pack): Added SAML2 login authentication method.

Feature Optimizations

• Applications: The generated prompts of AI conversation nodes in advanced applications no longer carry application names and description information;
• Applications: Supported outputting request parameters when AI models call MCP tools;
• Applications: Supported using shortcut keys to copy nodes into loop bodies in advanced orchestration;
• Tools: Supported importing three types of resources: tools, MCPs, and data sources;
• Tools: Adjusted the Tool Store entry to the tool list;
• Tools: Removed system built-in tools and moved them to the Tool Store.

Bug Fixes

• Q&A Page: Fixed the issue where retrieval results of knowledge base retrieval nodes in loop bodies were not displayed in knowledge sources;
• Applications: Fixed the incorrect display of execution time for loop nodes in execution details;
• Applications: Fixed the incorrect retrieval results when the variable value was empty in the document tag retrieval node;
• Knowledge Base: Fixed the issue where the original document could not be opened after downloading it following replacement (#4397);
• Models: Fixed the generation error of the qwen-image model from the Alibaba Cloud BaiLian provider (#4376);
• Models: Fixed the error when adding the gpt-5-codex model from the Azure OpenAI provider;
• Models: Fixed the incorrect setting of some parameters for vLLM models (#4403);
• Roles: Fixed the issue where the "About" permission authorized to workspace administrators and ordinary users did not take effect;
• Conversation Users (X-Pack): Fixed the issue where non-essential information was displayed in the conversation user query interface;
• API Documentation (X-Pack): Revised several inaccurate descriptions in the API documentation.

Security Vulnerability Fixes

• Security Vulnerability: Fixed the vulnerability where Python code in tools could access local services (CVE-2025-64511);
• Security Vulnerability: Fixed the vulnerability where Python code in tools could obtain system configuration information (CVE-2025-64703).

Special thanks to the XlabAI Team of Tencent Xuanwu Lab (@XlabAITeam) for discovering and promptly feeding back the above vulnerabilities to the MaxKB open-source community!

Feature Optimizations

• System: Through code refactoring and architecture optimization, significantly reduced CPU and memory usage, comprehensively improving system resource utilization, stability, and concurrent processing capabilities;
• System: Displayed the user's name in the upper right corner after the user logs in to the system (#4315);
• Applications: Users authorized with "View" permission can access the "Settings" page of the application;
• Folders: Folders in the application, knowledge base, and tool lists support movement and drag-and-drop movement;
• Folders: Removed the hierarchical limit for folders in the application, knowledge base, and tool lists;
• User Management: Adjusted the maximum length of usernames and full names to 64 characters;
• Conversation Users (X-Pack): Adjusted the maximum length of usernames and full names to 64 characters.

Bug Fixes

• Knowledge Base: Fixed the occasional failure of document vectorization;
• Knowledge Base: Fixed the issue where the association between segments and questions was not synchronously deleted when deleting a document;
• Applications: Fixed the issue where multiple forms were repeatedly displayed in the conversation when there was a form collection node in the loop body (#4326);
• Applications: Fixed the issue where the output content directly displayed the "context" abnormal information during the conversation when there was a form collection node in the loop body;
• Applications: Fixed the issue where the output parameters of the loop node would become "None" when there was a form collection node in the loop body;
• Applications: Fixed the issue where the last folder was not displayed when adding a tool node;
• Resource Authorization: Fixed the issue where the folder would automatically collapse when authorizing resources under the folder;
• Q&A Page: Fixed the issue where users could not log in via WeChat Work QR code on the Safari browser.

New Features

• Knowledge Base: Added "Tag Management" function;
• Knowledge Base: Added "Tag Setting" function for documents in the knowledge base;
• Knowledge Base: Added "Replace Original Document" function for the general knowledge base;
• Applications: Added "Document Tag Retrieval" node to Advanced Orchestration Applications;
• Applications: Added "Video Understanding" node to Advanced Orchestration Applications;
• Applications: Added "Variable Splitting" node to Advanced Orchestration Applications;
• Applications: Added "Variable Aggregation" node to Advanced Orchestration Applications;
• Applications: Added "Parameter Extraction" node to Advanced Orchestration Applications;
• Applications: Added "Video" file type option to file upload settings;
• Applications: Added "startwith" and "endwith" judgment conditions to the Judge node;
• Applications: Added "Historical Chat Records {history}" parameter to the output parameters of the AI Conversation node;
• Applications: Added two retrieval scope options (manual selection of knowledge base and variable reference) to the Knowledge Base Retrieval node;
• Resource Authorization: Supported authorizing folder resources by user;
• Resource Authorization: Supported folder-based resource authorization for applications, knowledge bases, and tools in the workspace;
• System Management (X-Pack): Added cleaning policies to operation logs to help administrators manage log data efficiently.

Feature Optimizations

• Applications (X-Pack): Supported password-free login for users after the application is connected to WeChat Work, Lark, or DingTalk;
• Applications: Supported video file types for file uploads;
• Applications: Added URL address setting support for the "select file" parameter of Image Understanding, Image-to-Video, and Video Understanding nodes;
• Applications: Allowed Variable Assignment nodes to be used as end nodes;
• Applications: Supported batch selection of nodes on the workflow orchestration page;
• Applications: Added a description field to interface parameters;
• Applications: Adjusted the maximum value of the "Question Limit per Client" option in "Access Restrictions" to 10 million times per day;
• Applications: Added custom input support for multi-select box components in the Form Collection node;
• Applications: Displayed all applications in the current workspace in the root directory and supported global search;
• Tools: Displayed all tools in the current workspace in the root directory and supported global search;
• Tools: Added variable parsing support for custom-type parameters;
• Knowledge Base: Displayed all knowledge bases in the current workspace in the root directory and supported global search;
• Roles: Adjusted the "About" permission to the ordinary user role;
• Models: Added model parameter setting support for vector models.

Bug Fixes

• Applications: Fixed the issue where tool nodes in the loop body were not exported when exporting the application;
• Applications: Fixed the issue where nodes after the Form Collection node in the loop body could not output loop variables;
• Applications: Fixed the issue where the content of the first parameter was cleared when modifying the content of the second parameter in the MCP Call node;
• Applications: Fixed the issue where Tokens showed 0 during conversations when using the Zhipu large language model and enabling the tool function in the AI Conversation node;
• Applications (X-Pack): Fixed the issue where the history record setting option in display settings did not take effect (#4201);
• Q&A Page: Fixed the issue where uploaded files were lost when clicking the "Get Another Answer" button after uploading files and asking questions on the Q&A page (#4180);
• Q&A Page: Fixed the issue where conversation records were lost when adjusting the size of the conversation window while asking questions on the Q&A page (#4202).

Feature Optimizations

• Tools: Added a "Parameter Prompt Description" field for input parameters;
• Tools: For tools added from the Tool Store, clicking the panel allows opening the tool details;
• Models: The visual models of the Alibaba Cloud BaiLian provider now support qwen-vl-ocr.

Bug Fixes

• Applications: Fixed the abnormal display issue when dragging the MCP Call node while adding components; #4152
• Applications: Fixed the issue where different branches of the judge could not connect to the same subsequent node; #4146
• Applications: Fixed the issue where adding multiple loop nodes might cause extra independent loop bodies to appear; #4142
• Applications: Fixed the incorrect display of the icon of the preceding node in the drop-down options of "Select Variable";
• Applications: Fixed the error issue when using the condition of "judging variable as empty" in the judge;
• Applications: Fixed the missing parameters when copying the knowledge base retrieval node after selecting a knowledge base for it;
• Tools: Fixed the issue where tools in the Tool Store did not display descriptions;
• Tools: Fixed the issue where clicking the "Create" button repeatedly when creating a tool would create multiple tools;
• System: Fixed the incorrect internationalization of the prompt message for wrong verification codes;
• System: Fixed the issue where built-in roles did not take effect after switching the language to English.

Release Notes for MaxKB v2.2.0 Community Edition

In MaxKB v2.2.0 Community Edition, regarding Applications: Advanced Orchestration Applications have added Loop Nodes, Intent Recognition Nodes, Text-to-Video Nodes, and Image-to-Video Nodes. Simple Applications now support MCP and tool calling functions, and have newly added prompt generation capabilities. For Tools: MaxKB has launched a brand-new Tool Store, allowing users to select required tools directly without self-development. In terms of Models: MaxKB has added support for Text-to-Video and Image-to-Video models from Alibaba Cloud BaiLian and Volcano Engine.

For the X-Pack Enhancement Package: MaxKB supports default login method settings, enabling administrators to customize the system’s default login channels (e.g., account-password login, third-party login, etc.) based on enterprise needs; it also newly supports setting to enable captcha verification after N failed login attempts.

New Features

• Tools: Added Tool Store;
• Applications: Added Loop Node, Break Node, and Continue Node;
• Applications: Added Intent Recognition Node;
• Applications: Added Text-to-Video Node;
• Applications: Added Image-to-Video Node;
• Applications: Simple Applications now support MCP and tool calling functions;
• Applications: Added support for prompt generation;
• Applications: Added "Output MCP/Tool Execution Process" switch setting;
• Applications: Variable Assignment Nodes now support the bool data type when assigning values;
• Applications: MCP configuration information supports variable parsing;
• Applications: Conversation users support the setting to enable captcha verification after a specified number of failed account login attempts (X-Pack);
• Knowledge Base: Supports parameter settings for models that handle question generation tasks;
• Models: Alibaba Cloud BaiLian provider has added support for Text-to-Video and Image-to-Video models;
• Models: Volcano Engine provider has added support for Text-to-Video and Image-to-Video models;
• Models: Speech Recognition Models support model parameter settings;
• Login: Added default login method setting (X-Pack);
• Login: Added setting to enable captcha verification after a specified number of failed user login attempts (X-Pack);
• Login: Upgraded the login captcha to an authentication mechanism with user isolation functionality.

Feature Optimizations

• Q&A Page: Added a "Back to Bottom" shortcut operation;
• Knowledge Base: The question list supports the "Show 1000 Items" option setting;
• Applications: Optimized the display style of "Add Component" for Advanced Orchestration Applications;
• Applications: Optimized the descriptions of system prompts and user prompts;
• Resource Management: Added support for filtering by type in the resource list filter options (X-Pack).

Bug Fixes

• Knowledge Base: Fixed the issue where exporting a knowledge base would time out and report an error when the knowledge base contains a large amount of data (#3995);
• Applications: Fixed the issue where the thinking process was not returned when using the application API interface for conversations (#4084);
• Applications: Fixed the issue where the display order of login methods in Access Restrictions was not sorted by category (#4049);
• Applications: Fixed the issue where the "Question Limit per Client" option setting in Access Restrictions did not take effect (#4042);
• Q&A Page: Fixed the issue where the send button was not displayed on some browsers in the iOS system;
• Q&A Page: Fixed the issue where refreshing the browser on the Q&A page would open the application list page after setting the question interface parameters in the application settings (#4076);
• Q&A Page: Fixed the issue where the font style of the thinking process was incorrect (#2792);
• Models: Fixed the issue where the parameter settings for the speech synthesis model from the Silicon Flow provider did not take effect.

New Features

• Login: Optimized the login system to encrypt user passwords.

Bug Fixes

• Q&A Page: Fixed the issue where AI responses would throw errors when users ask questions after incomplete file uploads.
• Applications: Fixed the issue where the asker's questions were not displayed in the application's conversation logs when asking questions in the floating dialog box.
• Applications: Fixed the issue of incorrect styling for thinking processes.
• Applications: Fixed the issue where users without application permissions could still view application conversation records through API interfaces.
• Applications: Fixed the occasional issue of database connection closure during conversations.
• API Documentation: Fixed several display issues in the API documentation.

Bug Fixes

• Applications: Fixed the issue where newly created "MCP Call" nodes would throw errors during execution.
• Knowledge Base: Fixed the problem where the "Maximum number of files per upload" setting in knowledge base settings did not take effect.

Enhancements

• Application: The MCP settings function of the AI Conversation Node now supports selecting multiple MCP tools.

Bug Fixes

• Tools: Fixed the vulnerability that allowed arbitrary system commands to be executed via tool operation;
• Tools: Fixed the abnormal style display issue on the MCP editing page;
• Application: Fixed the issue where multiple session variables could not be added in the Basic Information Node;
• Application: Fixed the incorrect time zone issue of the global variable "Current Time";
• Application: Fixed the issue where pressing the Enter key in the user input title setting dialog would open a new web page;
• Knowledge Base: Fixed the issue where images in the knowledge base were not exported when exporting the knowledge base;
• Knowledge Base: Fixed the issue where the file name of the exported knowledge base did not match the name of the knowledge base itself;
• Role Management (X-Pack): Fixed the incorrect internationalization display issue of the Role Management function.

Release Notes

New Features

• Tools: Added the MCP tool management function.
• Applications: Added tool settings for AI conversation nodes; after users select a custom tool, the model can independently decide whether to call the configured tool.
• Applications: Parameters of form collection nodes now support variable reference.
• Applications: Added multi-line text boxes, file upload, and single-line multi-select box components to form collection nodes.
• Applications (X-Pack): Application access now supports connection to WeChat Work intelligent robots, enabling users to achieve efficient linkage between AI capabilities and the WeChat Work office ecosystem.
• Applications (X-Pack): Added the "Show History Records" option in display settings.
• Q&A Page: Supported exporting current conversation records as PDF and PNG image formats on the Q&A page.
• Knowledge Base: Added the "Allow Download in Knowledge Sources" setting option for documents in the general knowledge base and Lark knowledge base.
• Resource Authorization: Added resource-level authorization function, supporting the authorization of core resources such as applications, knowledge bases, tools, and models to specified users.
• Resource Authorization: When authorizing resources by user in system management, different permissions can be set for each resource.
• Models: Added support for reranking models and speech recognition models to the vLLM provider.
• Models: Added support for speech recognition models to the Tencent Hunyuan provider.
• Models: Added support for Chinese speech large models to the speech recognition models of the iFlytek Spark provider.
• Models: Added support for qwen-omni-turbo, qwen2.5-omni-7b, and ASR models to the speech recognition models of the Alibaba Cloud BaiLian provider.
• Models: Added support for the API Version V2 connection method to the Baidu Qianfan Large Model provider.

Enhancements

• Applications: Added the function of querying by user in the conversation log list.
• Applications (X-Pack): After an application is connected to Lark, AI response content is displayed in Markdown format.
• Q&A Page: Automatically creates a new conversation by default when entering the Q&A page.
• Q&A Page: Optimized the issue where a default question is automatically generated when uploading files or images.
• Tools: Added a secondary confirmation prompt when clicking the "Close" or "Cancel" button while creating or editing a tool.
• Login: Users must change their default password before continuing to use the system after logging in with it.

Bug Fixes

• Applications: Fixed the issue where MCP nodes in advanced orchestration applications were not internationalized.
• Applications: Fixed the issue where session variables could not be read when used after form collection nodes.
• Q&A Page (X-Pack): Fixed the issue where the custom application Logo was not displayed in the browser tab.
• Q&A Page (X-Pack): Fixed the issue where existing authentication information remained valid when switching the application's identity authentication method in the "Access Restriction" function.
• Q&A Page: Fixed the issue where the content display style was messed up when clicking the "Collapse" button in the left navigation area.
• Q&A Page: Fixed the issue where a "missing parameter" prompt appeared when a conversation user asked a question after re-logging in.
• Q&A Page: Fixed the issue where conversation records were not displayed in the conversation record area when loading historical record data.
• Q&A Page: Fixed the issue where uploading an empty file caused extraction errors.
• Q&A Page: Fixed the issue where tags were displayed abnormally when the content of quick questions was too long.
• Knowledge Base: Fixed the issue where the input box on the hit test interface was displayed incompletely when the system had no License authorization.
• Knowledge Base: Fixed the issue where there was no secondary confirmation when clicking the "Back" button during document upload to the knowledge base.
• Knowledge Base: Fixed the issue where search results were incorrect when searching by segment content in the knowledge base segment details.
• Knowledge Base: Fixed the issue where the same segment could be associated with the same question multiple times.
• Knowledge Base: Fixed the issue where the "Number of Associated Segments" count was incorrect in the question list.
• Models: Fixed the issue where models in the "All Models" list were not displayed in descending order of creation time.
• Resource Authorization: Fixed the issue where users with only knowledge base view permission could add segments in conversation logs.
• Folders: Fixed the issue where clicking the "Back" button in the resource details of applications and knowledge bases always returned to the root directory.
• Conversation Users (X-Pack): Fixed the issue where user passwords were not synchronized when synchronizing system users.
• Conversation Users (X-Pack): Fixed the issue where a new conversation user could be created successfully even without setting a user group.

New features

• Knowledge Base: Improved knowledge base search performance for complex scenarios with large amounts of data.
• Q&A Page: Users can directly submit files or images to ask questions.

Bug Fixes

• Knowledge Base: Fixed an issue where links in web knowledge base documents could not be accessed in some cases;
• Knowledge Base: Fixed an issue where search results were inaccurate when searching by segment content in the segment details of a document;
• Applications: Fixed an issue where parameters in function nodes in advanced orchestration applications were not echoed;
• Applications: Fixed an issue where node connections in advanced orchestration applications were incorrectly connected;
• Applications: Fixed an issue where AI responses were incorrectly included in the MCP execution results;
• Applications: Fixed an issue where dragging parameters multiple times in form collection nodes caused a console error;
• Applications: Fixed an issue where clicking a quick question set in the opening line in the conversation log would call the application's answer;
• Operation Logs: Fixed a vulnerability where user passwords could be seen in the operation log; (X-Pack)
• Installation and Deployment: Upgraded the PostgreSQL database version to v15.14;
• API Documentation: Fixed several known issues.

New features

• Application: The advanced orchestration application has added a session variable function;
• Conversation User (X-Pack): Supports login via QR code for conversation users;
• Conversation User (X-Pack): Supports synchronization of LDAP and WeChat Work users;
• Resource Management (X-Pack): Supports unified management of workspace-related resources.

Enhancements

• Conversation User (X-Pack): Supports querying by user source and status;
• Knowledge Base: Improved knowledge base retrieval performance for complex scenarios with large amounts of data;
• Knowledge Base: Conversation users can query by user source;
• Application: Adjusted the file upload limit for advanced orchestration applications, allowing a maximum of 100 files to be uploaded in a single conversation, with a maximum size of 1000MB per file;
• Application: Supports querying by application release status;
• Application: Conversation users can query by user source;
• Q&A Page: Automatically populates the question field after uploading a file;
• Q&A Page: Optimized the login interaction experience in floating window mode and mobile mode;
• User Management: Supports querying by user source and status;
• System: Optimized the system UI style.

Bug Fixes

• Knowledge Base: Fixed the issue where an error is reported when hitting the test in full-text search mode;
• Knowledge Base: Fixed the problem of incorrect internationalization display for some content on the offline document upload page;
• Knowledge Base: Fixed the issue where the scroll range of the scrollbar on the segmentation rule page for uploading offline documents is incorrect;
• Application (X-Pack): Fixed the problem that AI responses were not displayed in Markdown style during conversations on the DingTalk platform connected to the application;
• Application: Fixed the error when MCP calls node execution in some cases;
• Application: Fixed the problem of repeated execution caused by multiple connections between two identical nodes;
• Application: Fixed the issue where parameters are displayed incorrectly when modifying model parameters;
• Application: Fixed the problem that unpublished applications were not filtered out when adding application sub-nodes;
• Q&A Page: Fixed the issue where the URL is not displayed when the uploaded file name contains the "&nbsp" character;
• Q&A Page: Fixed the problem that images in AI responses cannot be clicked to enlarge during user conversations;
• Q&A Page: Fixed the display misalignment issue when AI responses are table data;
• Q&A Page (X-Pack): Fixed the error when opening the Q&A page when the License is not authorized;
• Shared Model (X-Pack): Fixed the error when deleting a shared model.

Bug Fixes

• Security: Fixed a potential remote command execution vulnerability during MCP calls (CVE-2025-53928).
• Knowledge Base: Fixed the issue where an error occurs when saving after modifying the "Hit Handling Method" setting in the "Settings" of documents in Feishu Knowledge Base; (X-Pack)
• Knowledge Base: Fixed the problem that the update time of the document list does not update after adding, deleting, or modifying segments in the document.
• Function Library: Fixed the issue where the built-in database query function fails to serialize into a JSON string.
• Q&A Page: Fixed the problem that using shortcut keys to copy and paste images overwrites previously uploaded images.
• Q&A Page: Fixed the issue where files cannot be uploaded by dragging and dropping in the Firefox browser.
• Q&A Page: Fixed the problem that the URL is not displayed when the name of the uploaded file contains a " " character.
• Q&A Page: Fixed the issue of misaligned interface display when the application name is too long.
• Q&A Page: Fixed the problem that the latest questions are not displayed after the number of conversation records exceeds 20.
• Q&A Page: Fixed the issue where a single English word in the shortcut questions of the opening remarks is displayed in two lines.
• Application: Fixed the abnormal display of the Q&A page when the "Show History" setting is not checked in the "Display Settings" function of the simple application.
• Application: Fixed the issue of missing thinking process labels in some cases in advanced orchestration applications.
• Application: Fixed the problem that database files may be corrupted under special circumstances when there are many concurrent conversation users.
• Application: Fixed the error when exporting conversation logs when customizing the query time in the conversation logs.
• Application: Fixed the issue that non-streaming cannot count the consumed tokens when conducting conversations through the application's API Key.
• Application: Fixed the error caused by special characters in the form parameters output by the specified reply node.
• Application: Fixed the incorrect prompt when the configuration information of the MCP node is filled in incorrectly.
• Application: Fixed the issue that the DeepSeek-r1 model of Alibaba Cloud Bailian does not return content when calling the MCP service through the steamable HTTP MCP method.
• Installation and Deployment: Fixed several known issues.
• API Documentation: Fixed several known issues.

Bug Fixes

• 【User Management】Fixed the error that occurs when editing a user;
• 【Application】Fixed the issue where the segmented display of knowledge source citations in conversations was incorrect when only "Display Knowledge Sources" was enabled without enabling "Execution Details" in the "Display Settings" function;
• 【Application】Fixed the error that occurs during conversations when the "Multi-channel Recall" node is executed if the value of the re-ranked content in the node is empty;
• 【Q&A Page】Fixed the problem that audio files in AI responses cannot be dragged for playback;
• 【Tools】Fixed the absence of the "Debug" function in the tool creation interface after users with the ordinary user role log in to the system;
• 【Shared Tools】Fixed the failure to add tools from the tool store. (X-Pack)

Important Upgrades

■ Comprehensive Upgrade of Multi-Tenant Permission Management System (X-Pack)

In MaxKB V2, the multi-tenant permission management system has been fully upgraded. Through the collaboration of four modules: user management, role management, workspace, and resource authorization, an extensible multi - tenant permission management system has been built. It effectively supports the permission and resource management needs of multiple organizations, departments, and user groups, achieving precise control of permissions and resources by the system.

Role management is the core of the RBAC permission system. MaxKB V2 comes with three preset roles: system administrator, workspace administrator, and ordinary user. The system administrator has system - level management permissions, the workspace administrator is responsible for managing members and resource authorization, and ordinary users can maintain self - created and authorized resources.

In addition, MaxKB V2 supports the function of custom roles based on the system - preset roles. It allows for personalized permission configuration on the basis of inheriting the permissions of system administrators, workspace administrators, or ordinary users.

■ New Shared Resource Management Function (X-Pack)

MaxKB V2 has added a shared resource function, supporting cross - workspace resource reuse and collaboration. System administrators can uniformly manage core resources such as knowledge bases, tools, and models, and authorize them to designated workspaces. While ensuring the secure sharing of resources, it achieves a balance between sharing and control through permission control.

■ New Conversation User Management Function (X-Pack)

MaxKB V2 has also added the "conversation user management" function, supporting identity authentication on the question - asking end. Through the linkage of modules such as conversation users, user groups, application - conversation users, and knowledge base - conversation user authorization, this function realizes the management and control of users' question - asking scope and knowledge retrieval permissions. Thus, it achieves precise management of "one person, one permission" and "one group, one permission", further enhancing the security and controllability of the system. The new version of MaxKB also supports third - party authentication methods such as LDAP, OIDC, CAS, and OAuth2 to meet enterprise data security requirements.

■ Support for Managing Applications, Knowledge Bases, and Tools by Folder Directories

MaxKB V2 has upgraded its resource management capabilities. After logging in, users can enter the workspace to manage resources. Workspace resources include four core types: applications, knowledge bases, tools, and models. Among them, applications, knowledge bases, and tools can be managed by folder directories. This improvement facilitates users to classify and organize resources, conduct hierarchical management, and perform quick retrieval, greatly improving the efficiency of resource management and the convenience of use.

Enhancements

• Resource Management: System administrators are supported to view the list of applications, knowledge bases, tools, and model resources of all workspaces;
• Knowledge Base: After uploading offline documents to the general knowledge base, the original documents will be stored, and downloading of the original documents is supported;
• Knowledge Base: The segment detail page is optimized to support the adjustment of segment order;
• Application: The knowledge base retrieval node and multi - path recall node of advanced orchestration applications have added a switch setting of "results displayed in knowledge sources";
• Application: In the "display settings" function, setting the chat background of the question - and - answer page is supported; (X - Pack)
• Application: When having a conversation in the debugging preview, the saved application configuration is used;
• Application: An entry of "go to conversation" is added to the "settings" page of the application, facilitating users to go to the question - and - answer page for conversation after adjusting the configuration;
• Question - and - Answer Page: Advanced orchestration applications support the display of knowledge sources;
• Question - and - Answer Page: The interaction and style of the question - and - answer page are optimized;
• Security: Fixed a remote command execution vulnerability in the tool module (CVE-2025-53927);
• Security: Fixed a potential remote command execution vulnerability during MCP calls (CVE-2025-53928).

P.S. MaxKB does not currently support direct upgrade from version v1.10.x to v2.0.x. The MaxKB team plans to release a related migration tool in September 2025.