You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Knowledge Base: Supported importing and exporting all metadata of the knowledge base;
Agent: Supported selecting models and knowledge bases during conversation;
Agent: Supported batch selection to move to other folders or perform batch deletion;
Agent: Added thinking process toggle settings for "Image Understanding" and "Video Understanding" nodes in advanced agents;
Knowledge Base: Supported batch selection to move to other folders or perform batch deletion;
Tools: Supported batch selection to move to other folders or perform batch deletion;
Models: Added support for reranking models from the Baidu Qianfan provider (#4927);
System: Unified all username display fields in the system to show the user's full name;
Agent: The "Variable Aggregation" node in advanced agents now supports aggregating into dict-type variables (#4904);
Agent: Optimized the split expression component of the "Variable Splitting" node in advanced agents (#4961).
Bug Fixes
Agent: Fixed an error in user questions when using vLLM models with system prompts and Skills/MCP tools in the AI Conversation node;
Agent: Fixed the incompatibility issue between vLLM models and the reasoning field;
Agent: Fixed incorrect retrieval results when using the document tag retrieval node (#4942);
Agent: Fixed the issue where the collapsed state of loop nodes in advanced orchestration was not saved (#4996);
Agent: Fixed an error in the Image Understanding node during multi-turn conversations when images are not sent midway and then sent again (#4999);
Agent: Fixed blank rendering issues when using ECharts (#4966);
Agent (X-Pack): Fixed the issue where images sent via WeChat Work could not be opened after downloading from MaxKB conversation logs;
Agent (X-Pack): Fixed the issue where authentication was not performed during conversations after enabling identity authentication for sub-agents in advanced agents;
Knowledge Base: Fixed inaccurate description of "Allow preview in knowledge sources" in the Web Site knowledge base;
Models: Fixed the missing error messages when token limit is exceeded or balance is insufficient for Alibaba Cloud Bailian reranking models (#4928);
Models (X-Pack): Fixed the permission error when regular users click on shared models;
Roles (X-Pack): Fixed the issue where other permissions were automatically checked when customizing the "About" permission for regular users (#4954);
Resource Management (X-Pack): Fixed the issue where user roles were not displayed when authorizing resources in resource management.
Security Vulnerability Fixes
Security: Fixed SSRF vulnerability bypassing sandbox connect() hook via socket.sendto()+MSG_FASTOPEN to prevent access to internal restricted services (#CVE-2026-39418);
Security: Fixed remote code execution vulnerability for sandbox escape via env -i LD_PRELOAD to clear environment variables (#CVE-2026-39420);
Security: Fixed sandbox bypass vulnerability for result spoofing via sys.exit(0) to bypass sandbox result verification (#CVE-2026-39419);
Security: Fixed critical remote code execution vulnerability for sandbox escape via ctypes and unhooked SYS_pkey_mprotect (#CVE-2026-39421);
Security: Fixed remote code execution vulnerability for Shell command injection via malicious configuration due to missing MCP server configuration validation (#CVE-2026-39417);
Security: Fixed general stored cross-site scripting (XSS) vulnerability and strengthened user input security validation in all scenarios (#CVE-2026-39422);
Security: Fixed stored XSS vulnerability in iframe_render caused by unfiltered user input (#CVE-2026-39426);
Security: Fixed stored XSS vulnerability in Markdown rendering html_rander due to unfiltered HTML tags (#CVE-2026-39425);
Security: Fixed stored XSS vulnerability in echarts_rander component via Eval malicious code injection (#CVE-2026-39423);
Security: Fixed CSV injection vulnerability caused by unescaped special characters when exporting application chat logs to CSV (variant of CVE-2025-4546) (#CVE-2026-39424).
