CVE-2026-32617
Awaiting Analysis Awaiting Analysis - Queue
Unauthenticated Access in AnythingLLM 1.11.1 Allows Local Network Exploitation

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32617
EUVD
EUVD-2026-12103
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mintplexlabs anythingllm to 1.11.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32617 affects the AnythingLLM application version 1.11.1 and earlier, where default installations lack proper authentication on all HTTP endpoints and the agent WebSocket. The server uses a permissive CORS policy that accepts requests from any origin, allowing unauthenticated remote access to the local API.

The vulnerability arises because authentication middleware can be bypassed if certain environment variables are unset or if the environment is set to development mode. Additionally, the WebSocket endpoint relies only on UUID existence for access, which can be obtained without protection.

The server binds to all network interfaces by default, exposing it to remote attackers if not properly firewalled. Modern browsers implement protections that limit exploitation to local network attacks, but some browsers like Firefox do not enforce these protections fully.

Impact Analysis

This vulnerability can have severe impacts on confidentiality, integrity, and availability of the AnythingLLM instance.

  • Confidentiality: Attackers can read all workspaces, chat history, system settings, environment variables, and internal network responses.
  • Integrity: Attackers can modify settings, create or delete users, alter LLM configurations, and execute arbitrary code.
  • Availability: Attackers can delete workspaces, reset the system, and disrupt service.

Exploitation can occur remotely if the server is exposed to the internet or locally via malicious websites on the same network, potentially leading to server-side request forgery, SQL injection, and remote code execution.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the AnythingLLM server is running version 1.11.1 or earlier and if it is bound to 0.0.0.0 on port 3001 (HTTP) or port 8888 (collector), exposing unauthenticated HTTP and WebSocket endpoints.'}, {'type': 'paragraph', 'content': 'You can scan your network or system for open ports and services using commands like:'}, {'type': 'list_item', 'content': 'nmap -p 3001,8888 <target-ip> # Scan for AnythingLLM default ports'}, {'type': 'list_item', 'content': 'curl -v http://<target-ip>:3001/ # Check if HTTP endpoints respond without authentication'}, {'type': 'list_item', 'content': 'curl -H "Origin: http://malicious-site.com" http://<target-ip>:3001/api/endpoint # Test permissive CORS policy'}, {'type': 'paragraph', 'content': 'Additionally, inspecting the server environment variables for unset AUTH_TOKEN and JWT_SECRET or if NODE_ENV is set to "development" can indicate the authentication bypass condition.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Configure authentication by setting AUTH_TOKEN and JWT_SECRET environment variables to enforce credential checks.'}, {'type': 'list_item', 'content': 'Remove or restrict the NODE_ENV "development" mode when the server is accessible on the network.'}, {'type': 'list_item', 'content': 'Apply authentication middleware to WebSocket endpoints and verify user ownership of invocation UUIDs.'}, {'type': 'list_item', 'content': 'Restrict CORS policy to allow only trusted frontend origins instead of allowing any origin.'}, {'type': 'list_item', 'content': 'Firewall or restrict network exposure by preventing the server from binding to 0.0.0.0 without protection, ideally binding to localhost (127.0.0.1) if remote access is not needed.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32617. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart