Skip to main content

Anything Llm CVE-2026-32717

LOW
Incorrect Authorization (CWE-863)
2026-03-13 GitHub_M
2.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:23 nvd
LOW 2.7

DescriptionGitHub Advisory

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.

AnalysisAI

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863).

RemediationAI

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

CVE-2023-4899 HIGH POC
8.8 Sep 12

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne

CVE-2023-4898 HIGH POC
7.5 Sep 12

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev

CVE-2026-32626 CRITICAL
9.6 Mar 13

XSS in AnythingLLM 1.11.1 and earlier.

CVE-2026-32628 HIGH
7.7 Mar 13

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a

CVE-2026-32617 HIGH
7.1 Mar 13

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th

CVE-2026-41318 MEDIUM
5.4 Apr 24

Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject

CVE-2026-48789 MEDIUM
4.3 Jun 24

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to

CVE-2026-42456 MEDIUM
4.3 May 08

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32719 MEDIUM
4.2 Mar 13

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f

CVE-2026-32715 LOW
3.8 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-47713 LOW
2.0 May 28

Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing

CVE-2026-45403 LOW
2.0 May 28

Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged au

Share

CVE-2026-32717 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy