CVE-2026-32617

CVE

High

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and e…

CVSS

7.5

High

EPSS

0.00

p32

Published

2026-01-01

Updated

2026-01-01

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.

Tags · CWE

Pre-auth

CWE-942

Affected products

Anythingllm ≤ 1.11.1

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

2026-01-01

Published

2026-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: H

High (H)

Privileges Required

PR: N

None (N)

User Interaction

UI: R

Required (R)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: H

High (H)

Integrity Impact

I: H

High (H)

Availability Impact

A: H

High (H)

Exploit indicators

EPSS

0.004 · p32

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Mintplexlabs

Anythingllm

Product	Vendor	Status
anythingllm	*	Tracked

Source databases

CVE

Related vulnerabilities

BDU:2026-04256

External references

https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-24qj-pw4h-3jmm