CVE-2026-32715
Privilege Escalation via Insecure Preferences Endpoints in AnythingLLM
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mintplexlabs | anythingllm | to 1.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in AnythingLLM version 1.11.1 and earlier, where two generic system-preferences endpoints allow access to users with the manager role, while other interfaces that interact with the same settings restrict access to admin users only.
Due to this inconsistency, a manager can directly call these generic endpoints to read plaintext SQL database credentials and overwrite global settings that should be restricted to admins, such as the default system prompt and the Community Hub API key.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information, such as plaintext SQL database credentials, to users with manager-level access.
Additionally, it allows these users to overwrite critical global settings that should be admin-only, potentially compromising the integrity and security of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know