v2.4.0

Security Vulnerability Fixes

• Fixed the permission bypass issue caused by system file overwriting (CVE-2025-66446);
• Fixed the permission bypass issue caused under specific concurrent conditions (CVE-2025-66419).

Special thanks to GitHub users @yck99, @NikoCat233, and @Threonine for discovering and promptly reporting the above vulnerabilities to the MaxKB open-source community!

New Features

• Knowledge Base: Added workflow knowledge base;
• Tools: Added data source tools;
• Tools: Tools in the Tool Store support two types: "Tool" and "Data Source";
• Models: AWS provider added support for vision models and reranking models;
• Models: Vision models of OpenAI, Ollama, vLLM, Xinference, and Zhipu AI providers support video understanding functionality;
• Models: Added support for large language models, vector models, and reranking models from the Docker AI provider;
• Applications: Added "URL Address" as an upload method in the file upload settings;
• Applications: Added ranking statistics for "User Consumed Tokens" and "User Question Count" to the monitoring statistics on the overview page;
• Resource Authorization: Supported filtering users by role when authorizing applications, knowledge bases, tools, and models to users by resource;
• Login Authentication (X-Pack): Added SAML2 login authentication method.

Feature Optimizations

• Applications: The generated prompts of AI conversation nodes in advanced applications no longer carry application names and description information;
• Applications: Supported outputting request parameters when AI models call MCP tools;
• Applications: Supported using shortcut keys to copy nodes into loop bodies in advanced orchestration;
• Tools: Supported importing three types of resources: tools, MCPs, and data sources;
• Tools: Adjusted the Tool Store entry to the tool list;
• Tools: Removed system built-in tools and moved them to the Tool Store.

Bug Fixes

• Q&A Page: Fixed the issue where retrieval results of knowledge base retrieval nodes in loop bodies were not displayed in knowledge sources;
• Applications: Fixed the incorrect display of execution time for loop nodes in execution details;
• Applications: Fixed the incorrect retrieval results when the variable value was empty in the document tag retrieval node;
• Knowledge Base: Fixed the issue where the original document could not be opened after downloading it following replacement (#4397);
• Models: Fixed the generation error of the qwen-image model from the Alibaba Cloud BaiLian provider (#4376);
• Models: Fixed the error when adding the gpt-5-codex model from the Azure OpenAI provider;
• Models: Fixed the incorrect setting of some parameters for vLLM models (#4403);
• Roles: Fixed the issue where the "About" permission authorized to workspace administrators and ordinary users did not take effect;
• Conversation Users (X-Pack): Fixed the issue where non-essential information was displayed in the conversation user query interface;
• API Documentation (X-Pack): Revised several inaccurate descriptions in the API documentation.