CVE-2024-56137

CVE-2024-56137 is a remote command execution vulnerability (CWE-78: OS Command Injection) affecting MaxKB, an open-source knowledge base question-answering system built on large language models and retrieval-augmented generation (RAG). The issue resides in the function library module and impacts versions prior to 1.9.0, where privileged users can inject and execute arbitrary operating system commands through custom scripts. It carries a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H), indicating medium severity due to requirements for high privileges and user interaction.

Exploitation requires an attacker to possess privileged access to the MaxKB instance, after which they must trick a user into performing an action that triggers the vulnerable custom script functionality. Successful exploitation enables remote execution of OS commands on the host system, potentially granting high-impact confidentiality, integrity, and availability compromises, such as data exfiltration, system modification, or denial of service.

The vulnerability has been fully addressed in MaxKB version 1.9.0, as detailed in the GitHub security advisory (GHSA-76w2-2g72-cg85). Security practitioners should prioritize upgrading to v1.9.0 or later and review access controls for privileged users in RAG-based LLM deployments to prevent script-based command injection.