CVE-2026-32890
Stored XSS in Anchorr Dashboard Enables Credential Theft
Publication date: 2026-03-20
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openvessl | anchorr | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32890 is a critical stored Cross-site Scripting (XSS) vulnerability in the Anchorr Discord bot's web dashboard (versions 1.4.1 and below). It exists in the User Mapping dropdown where Discord member display names are rendered using unsanitized HTML, allowing any unprivileged Discord user in the configured guild to inject and execute arbitrary JavaScript in the Anchorr admin's browser."}, {'type': 'paragraph', 'content': "Attackers exploit this by splitting a malicious payload across multiple Discord accounts to bypass character limits, setting a global JavaScript variable with a malicious script URL, and triggering dynamic import of this external script. This script runs in the admin's browser context and calls the GET /api/config endpoint, which returns all stored secrets in plaintext."}, {'type': 'paragraph', 'content': 'The vulnerability allows attackers to steal sensitive credentials such as the Discord bot token, API keys, JWT secrets, webhook secrets, and bcrypt password hashes without any authentication to Anchorr itself, requiring only membership in the guild and the admin opening the User Mappings tab.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of the Anchorr instance and all connected services. An attacker can gain full control over the dashboard, impersonate the Discord bot, and steal all sensitive credentials stored in Anchorr.
- Full bot impersonation and access to all Discord guilds via the stolen DISCORD_TOKEN.
- Unauthorized admin access to the Jellyfin media server using the JELLYFIN_API_KEY.
- Access to Jellyseerr request management through the JELLYSEERR_API_KEY.
- Ability to forge admin authentication tokens using the JWT_SECRET.
- Sending forged webhook payloads with the WEBHOOK_SECRET.
- Exposure of external API credentials (TMDB_API_KEY and OMDB_API_KEY).
- Access to bcrypt password hashes for all dashboard accounts, potentially enabling further account compromises.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your Anchorr instance is running version 1.4.1 or below, which contains the stored Cross-site Scripting (XSS) flaw in the User Mapping dropdown of the web dashboard.'}, {'type': 'paragraph', 'content': 'Since the exploit requires an attacker-controlled Discord user to inject malicious JavaScript via crafted Discord display names, monitoring for unusual or suspicious Discord display names containing HTML or JavaScript payloads in your guild could indicate exploitation attempts.'}, {'type': 'paragraph', 'content': "Additionally, network monitoring for unexpected outbound POST requests from the admin's browser to unknown external servers (potential exfiltration endpoints) when the User Mapping dropdown is accessed may help detect exploitation."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Check the Anchorr version by querying the running instance or inspecting the deployed package version.'}, {'type': 'list_item', 'content': "Use browser developer tools or network monitoring tools (e.g., Wireshark, tcpdump) to detect suspicious network traffic originating from the admin's browser when interacting with the User Mapping dropdown."}, {'type': 'list_item', 'content': 'Audit Discord guild member display names for suspicious HTML or JavaScript content.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade Anchorr to version 1.4.2 or later, which contains patches addressing the stored XSS vulnerabilities.
Version 1.4.2 includes multiple security improvements such as:
- Refactoring the web dashboard to use safe DOM API methods instead of unsafe innerHTML interpolation, preventing XSS.
- Validation of avatar URLs to ensure only safe URLs are used.
- Sanitization of internationalization strings and configuration data to prevent script injection.
- Masking sensitive configuration fields and preventing accidental credential exposure.
- Addition of security response headers to enhance overall security posture.
- Implementation of authentication rate limiting to mitigate brute-force attacks.
Until the update can be applied, restrict access to the Anchorr admin dashboard and monitor for suspicious Discord user activity in the guild.