Releases: 1Panel-dev/MaxKB
Releases · 1Panel-dev/MaxKB
v2.8.1
Security Vulnerability Fixes
- Security: Fixed the permission bypass and SSRF security issues in the OSS file service URL acquisition interface. Improved application permission verification, DNS resolution verification, and URL resolution consistency to prevent unauthorized access and intranet request forgery.
Bug Fixes
- Models: Fixed an error when setting the end frame for text-to-video generation using the
wanmodel from Alibaba Cloud Bailian provider (#5111). - Models: Fixed the issue where the image count setting did not take effect in the parameter configuration of Volcano Engine image generation models (#5089).
- Knowledge Base: Fixed the issue where document order became disordered after adjusting document order following document segment migration (#5106).
- Knowledge Base: Fixed abnormal segmentation caused by the intelligent segmentation rule not excluding
#comments inside code blocks. - Agent: Fixed an error in model skill invocation during conversation when the thinking process was enabled in the AI Conversation node and an agent was configured in skills (#4988).
- API Documentation: Fixed the missing
sync_typeparameter in the Web knowledge base synchronization API documentation (#5081).
v2.8.0
New Features
- Tools: Added workflow-type tools;
- Tools: Supported automatic Python code generation;
- Knowledge Base: Supported importing and exporting all metadata of the knowledge base;
- Agent: Supported selecting models and knowledge bases during conversation;
- Agent: Supported batch selection to move to other folders or perform batch deletion;
- Agent: Added thinking process toggle settings for "Image Understanding" and "Video Understanding" nodes in advanced agents;
- Knowledge Base: Supported batch selection to move to other folders or perform batch deletion;
- Tools: Supported batch selection to move to other folders or perform batch deletion;
- Models: Added support for reranking models from the Baidu Qianfan provider (#4927);
- System: Unified all username display fields in the system to show the user's full name;
- Agent: The "Variable Aggregation" node in advanced agents now supports aggregating into dict-type variables (#4904);
- Agent: Optimized the split expression component of the "Variable Splitting" node in advanced agents (#4961).
Bug Fixes
- Agent: Fixed an error in user questions when using vLLM models with system prompts and Skills/MCP tools in the AI Conversation node;
- Agent: Fixed the incompatibility issue between vLLM models and the reasoning field;
- Agent: Fixed incorrect retrieval results when using the document tag retrieval node (#4942);
- Agent: Fixed the issue where the collapsed state of loop nodes in advanced orchestration was not saved (#4996);
- Agent: Fixed an error in the Image Understanding node during multi-turn conversations when images are not sent midway and then sent again (#4999);
- Agent: Fixed blank rendering issues when using ECharts (#4966);
- Agent (X-Pack): Fixed the issue where images sent via WeChat Work could not be opened after downloading from MaxKB conversation logs;
- Agent (X-Pack): Fixed the issue where authentication was not performed during conversations after enabling identity authentication for sub-agents in advanced agents;
- Knowledge Base: Fixed inaccurate description of "Allow preview in knowledge sources" in the Web Site knowledge base;
- Models: Fixed the missing error messages when token limit is exceeded or balance is insufficient for Alibaba Cloud Bailian reranking models (#4928);
- Models (X-Pack): Fixed the permission error when regular users click on shared models;
- Roles (X-Pack): Fixed the issue where other permissions were automatically checked when customizing the "About" permission for regular users (#4954);
- Resource Management (X-Pack): Fixed the issue where user roles were not displayed when authorizing resources in resource management.
Security Vulnerability Fixes
- Security: Fixed SSRF vulnerability bypassing sandbox connect() hook via socket.sendto()+MSG_FASTOPEN to prevent access to internal restricted services (#CVE-2026-39418);
- Security: Fixed remote code execution vulnerability for sandbox escape via env -i LD_PRELOAD to clear environment variables (#CVE-2026-39420);
- Security: Fixed sandbox bypass vulnerability for result spoofing via sys.exit(0) to bypass sandbox result verification (#CVE-2026-39419);
- Security: Fixed critical remote code execution vulnerability for sandbox escape via ctypes and unhooked SYS_pkey_mprotect (#CVE-2026-39421);
- Security: Fixed remote code execution vulnerability for Shell command injection via malicious configuration due to missing MCP server configuration validation (#CVE-2026-39417);
- Security: Fixed general stored cross-site scripting (XSS) vulnerability and strengthened user input security validation in all scenarios (#CVE-2026-39422);
- Security: Fixed stored XSS vulnerability in iframe_render caused by unfiltered user input (#CVE-2026-39426);
- Security: Fixed stored XSS vulnerability in Markdown rendering html_rander due to unfiltered HTML tags (#CVE-2026-39425);
- Security: Fixed stored XSS vulnerability in echarts_rander component via Eval malicious code injection (#CVE-2026-39423);
- Security: Fixed CSV injection vulnerability caused by unescaped special characters when exporting application chat logs to CSV (variant of CVE-2025-4546) (#CVE-2026-39424).
v2.7.1
Bug Fixes
- Models: Fixed the error that occurred when using Embedding models from the Ollama provider;
- Installation & Deployment: Fixed the upgrade error caused by incompatible dependency package versions on some older machines;
- Agent: Fixed the issue where the style of tool call data was not displayed in execution details.
v1.10.13-lts
Bug Fixes
- Models: Fixed the error when adding the image generation model of Douban (Doubao);
- Applications: Fixed the issue where the service restarted when exporting conversation logs due to a large volume of conversation log data;
- Applications: Fixed the issue where conversation records could not be exported when there was abnormal content in conversation logs;
- Applications: Fixed the issue where the judge node could not handle multiple conditions;
- Login: Fixed the login failure issue when the username contained Chinese characters (#4232);
- Internationalization: Fixed the incorrect description when adding the vision model of Xorbits Inference under Traditional Chinese/Simplified Chinese language settings.
v2.7.0
New Features
- Tools: Added Skills management capability to tools(#4682);
- Agent: Supported agents to call Skills autonomously(#4682);
- Q&A Page: Supported sharing conversation records on the Q&A page;
- Knowledge Base: Supported directly adding/removing document tags from the tag dimension;
- Login Authentication (X-Pack): Supported configuring the allowed login methods for system users.
Feature Optimizations
- Agent: Added the function to search/locate nodes on the workflow orchestration page of advanced agents;
- Agent: Added support for searching models in the model selection drop-down box (#4769);
- Agent: When hovering the mouse over resources in the dialog boxes for selecting knowledge bases, tools, and agents, more information about the resources can be displayed (#4657);
- Agent: Added support for the "Not Equal To" option for conditions in the judge node of advanced agents (#4885);
- Knowledge Base: Added a "Tags" column to the document list (displayed), and supported adding tags to documents in this column (#4616);
- Q&A Page: Optimized the UI style of tool calls;
- Triggers: Added support for setting scheduled triggers via Cron expressions (#4820);
- Models: Added support for image generation models from the Gemini provider (#4492);
- Models: Added support for vision models from the Silicon Flow (Guiji Liudong) provider (#4789).
Bug Fixes
- Knowledge Base: Fixed the issue where documents were not exported in segmentation order when exporting (#4818);
- Agent (X-Pack): Fixed the issue where output content was not formatted with Markdown during conversations in the Lark client;
- Agent: Fixed the issue where the pop-up window was not fully displayed when users gave thumbs-up/down feedback after AI reply content, when embedded in third-party platforms with full-screen embedding selected;
- Agent: Fixed the issue where AI nodes were displayed as completed in execution details even though they were not fully executed (#4845);
- Agent: Fixed the issue where conversations could still be conducted when calling the same application using API Keys of different applications (#4854);
- Agent: Fixed the issue where the question optimization node did not take effect (#4874);
- Agent: Fixed the issue where the AI model and associated knowledge base in settings were cleared after moving files in simple agents (#4890);
- Q&A Page: Fixed the incorrect style display when form collection content existed during conversations;
- Q&A Page: Fixed the issue where conversation content was not internationalized when users gave thumbs-up/down feedback after AI reply content;
- Q&A Page (X-Pack): Fixed the issue where conversation users created by third parties could not modify their passwords after logging into the application via account login;
- Models: Fixed the error when adding image generation models from the Volcano Engine provider.
v2.6.1
Bug Fixes
- Agent: Fixed the issue where tool execution failed under certain circumstances in the agent workflow; #4790
- Agent: Fixed the issue of incorrect acquisition of historical records in AI Conversation nodes when parallel nodes existed in the agent workflow; #4778
- Agent: Fixed the front-end error caused by excessively large data streams returned by the back-end when the AI responded to questions;
- Knowledge Base: Fixed the issue where segmentation markers (blank lines and carriage returns) did not take effect after selecting intelligent segmentation for document uploads; #4791.
v2.6.0
New Features
- Agent: Added trigger activation capability;
- Agent (X-Pack): Supported setting validity period for Agent API Keys;
- Agent: Added IP Address and Source attributes to the conversation log list;
- Agent: Supported setting independent cleanup policies for uploaded files in conversation logs;
- Tools: Added trigger activation capability;
- Tools: Added the function to view execution records;
- Shared Tools (X-Pack): Added the function to view execution records;
- Triggers: Added trigger management function for the workspace administrator role;
- Knowledge Base: General Knowledge Base, Web Site Knowledge Base, and Lark Knowledge Base all support direct conversion to Workflow Knowledge Base;
- Knowledge Base: Added support for batch exporting documents in the document list;
- System Management (X-Pack): Supported setting validity period for system API Keys.
Feature Optimizations
- Agent: Adjusted the position of the Go to Conversation button to the Agent panel;
- Agent: Added a Current Moment setting for the default value of date-type parameters entered by users; after setting, the parameter dynamically obtains the current time on the Q&A page;
- Models: Added support for entering the API URL parameter for video models and speech recognition models of Alibaba Cloud BaiLian;
- Models: Vector models of the Volcano Engine provider support docking with multimodal vector models;
- Models: Speech recognition models of the Volcano Engine provider support the docking method of speech recognition for audio files;
- Models: Added support for setting the Response Type parameter (e.g.,
response_format=b64_json) in the model parameters of image generation models of the OpenAI provider; #4538 - System: Optimized internationalized copy and partial UI interfaces.
Bug Fixes
- Agent: Fixed the issue where the Referenced Segment Count and Segment Title + Content fields were missing when exporting conversation logs;
- Agent: Fixed the issue where the calling process was not displayed if a tool in skills had no input parameters when the AI model called the tool;
- Agent: Fixed the issue of disordered AI reply content when a sub-agent in a loop body also had a loop node (#4654);
- Agent: Fixed the issue where AI reply content did not automatically scroll to the bottom during Agent debugging (#4660);
- Login Authentication (X-Pack): Fixed the issue where the number of failed login attempts for displaying captcha could not be set to 0;
- Models: Fixed the issue where the slm speech recognition model of iFlytek Spark could not convert speech to text;
- Models: Fixed the error when editing the iat model of iFlytek Spark;
- Folders: Fixed the issue where users with only folder view permissions could still create subfolders (#4688).
v2.5.0
New Features
- Agent: Upgraded the "Application" module to the "Agent" module;
- Agent: Added automatic agent calling function to simple agents, and merged tools, MCP, and agents into the "Skills" function;
- Agent: Added automatic agent calling function to AI Conversation nodes in advanced agents, and merged tools, MCP, and agents into the "Skills" function;
- Agent: Supported creating agents via templates in the Template Center;
- Agent: Added exception branch output to all AI capability nodes in advanced agents to enhance process fault tolerance;
- Agent: Supported displaying feedback information filled by users in conversation log details;
- Agent: The user input parameter component in the Basic Information node supports multi-line text boxes, single-line tab components, and single-line multi-select tab components;
- Agent: Input parameters in custom tool nodes support boolean type;
- Q&A Page: Supported users to fill in feedback information when submitting feedback;
- Knowledge Base: Supported canceling the document import process in workflow knowledge bases;
- Knowledge Base: Added workflow import/export function to workflow knowledge bases;
- Knowledge Base: Supported viewing associated resources;
- Tools: Supported viewing associated resources;
- Tools: Added JSON text box and slider components to the component types in parameter dialogs;
- Folders: Supported sorting by name, creation time, and custom drag-and-drop order;
- Models: Supported viewing associated resources;
- Login Authentication (X-Pack): Added default role assignment function for third-party users in login settings;
- Login Authentication (X-Pack): Added account lockout function after failed login attempts in login settings;
- User Management: Supported setting default resource permissions when creating users;
- User Management (X-Pack): Supported batch role assignment and batch user deletion.
Feature Optimizations
- Agent: Added conversation user group
{{global.chat_user_group}}to the start node in advanced agents; - Knowledge Base: Optimized the hit test interface to use POST requests;
- Folders: Supported authorizing folders by user roles;
- API Key: Optimized system API Keys to be isolated by user;
- Q&A Page: Removed the limit of only viewing 20 historical chat records;
- Q&A Page: Supported editing and re-submitting the last question;
- Q&A Page (X-Pack): Supported logout function for third-party conversation users after logging into the Q&A page;
- System: Optimized the system UI interface.
Bug Fixes
- Security Vulnerability: Fixed the XSS vulnerability caused by file uploads;
- Security Vulnerability: Fixed the issue where Python code in the tool module loaded dynamic link libraries to bypass security restrictions;
- Security Vulnerability: Fixed the potential RCE issue caused by deserializing untrusted objects via pickle in Celery;
- Tools: Fixed the false interception of emails sent via the SMTP protocol;
- Agent: Fixed the issue where the scroll bar of the tool drop-down box in MCP nodes could not scroll;
- Agent: Fixed the style issue where execution details of MCP call and tool nodes exceeded the screen;
- Agent: Fixed the issue where child agents could not receive video files from parent agents (#4568);
- Knowledge Base: Fixed the style issue where video components in segmentation details exceeded the segmentation detail area (#4542);
- Knowledge Base: Fixed the issue where all videos automatically played when opening the segmentation details page.
v2.4.2
Bug Fixes
- Applications: Fixed the incorrect jump path of the Go to Conversation button on the workflow orchestration page when the system's secondary path has been modified;
- Applications: Fixed the issue where the reference variable selection could not be canceled for tool nodes in advanced orchestration applications;
- Applications: Fixed the issue where the workflow did not terminate when a node inside the loop body threw an error;
- Applications: Fixed the inconsistency between the node order in the add component dialog and the node order in the loop body;
- Applications (X-Pack): Fixed the redirection issue on the WeChat Work QR code login page for conversation users;
- Knowledge Base: Fixed the issue where the previous page state was not retained when returning to the document list page from the document segmentation details page;
- Knowledge Base: Fixed the parsing failure issue of global variables entered in the specified reply node of the workflow knowledge base;
- Knowledge Base: Removed the historical chat record function from the Image Understanding, Video Understanding, and AI Conversation nodes in the workflow knowledge base;
- Knowledge Base: Fixed the issue where newly created vector models were not displayed in the vector model list when creating them in the knowledge base creation interface;
- Resource List: Fixed the incorrect display of the resource list when moving resources to folders in the root directory of applications/knowledge bases/tools;
- Tools: Fixed the issue where data source tools lacked parameters set during debugging;
- Tools: Fixed the issue where IPv6-mapped IPv4 addresses were not intercepted;
- API Documentation: Fixed the incorrect parameter type of the document segmentation interface.
v2.4.1
Bug Fixes
- Applications: Fixed the issue where the "Submit" button could not be clicked when the form collection node was executed;
- Applications: Fixed the issue of incorrect retrieval results when the tag value of the document tag retrieval node was None;
- Applications: Fixed the issue where Input parameters were incompletely output when the AI model called MCP;
- Knowledge Base: Fixed the execution error of image understanding in the knowledge base workflow;
- Knowledge Base: Fixed the issue where zip files containing images could not be written to the knowledge base when uploaded;
- Knowledge Base: Fixed the issue where custom input file formats in local files of data source nodes were case-sensitive;
- Tools: Fixed the issue of abnormal console errors in the tool editor under certain circumstances;
- Models: Fixed the cache_dir error that occurred when adding a local reranking model.