CVE-2026-32890
Received Received - Intake
Stored XSS in Anchorr Dashboard Enables Credential Theft

Publication date: 2026-03-20

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32890
EUVD
EUVD-2026-13501
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openvessl anchorr to 1.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32890 is a critical stored Cross-site Scripting (XSS) vulnerability in the Anchorr Discord bot's web dashboard (versions 1.4.1 and below). It exists in the User Mapping dropdown where Discord member display names are rendered using unsanitized HTML, allowing any unprivileged Discord user in the configured guild to inject and execute arbitrary JavaScript in the Anchorr admin's browser."}, {'type': 'paragraph', 'content': "Attackers exploit this by splitting a malicious payload across multiple Discord accounts to bypass character limits, setting a global JavaScript variable with a malicious script URL, and triggering dynamic import of this external script. This script runs in the admin's browser context and calls the GET /api/config endpoint, which returns all stored secrets in plaintext."}, {'type': 'paragraph', 'content': 'The vulnerability allows attackers to steal sensitive credentials such as the Discord bot token, API keys, JWT secrets, webhook secrets, and bcrypt password hashes without any authentication to Anchorr itself, requiring only membership in the guild and the admin opening the User Mappings tab.'}] [1]

Impact Analysis

This vulnerability can lead to a complete compromise of the Anchorr instance and all connected services. An attacker can gain full control over the dashboard, impersonate the Discord bot, and steal all sensitive credentials stored in Anchorr.

  • Full bot impersonation and access to all Discord guilds via the stolen DISCORD_TOKEN.
  • Unauthorized admin access to the Jellyfin media server using the JELLYFIN_API_KEY.
  • Access to Jellyseerr request management through the JELLYSEERR_API_KEY.
  • Ability to forge admin authentication tokens using the JWT_SECRET.
  • Sending forged webhook payloads with the WEBHOOK_SECRET.
  • Exposure of external API credentials (TMDB_API_KEY and OMDB_API_KEY).
  • Access to bcrypt password hashes for all dashboard accounts, potentially enabling further account compromises.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your Anchorr instance is running version 1.4.1 or below, which contains the stored Cross-site Scripting (XSS) flaw in the User Mapping dropdown of the web dashboard.'}, {'type': 'paragraph', 'content': 'Since the exploit requires an attacker-controlled Discord user to inject malicious JavaScript via crafted Discord display names, monitoring for unusual or suspicious Discord display names containing HTML or JavaScript payloads in your guild could indicate exploitation attempts.'}, {'type': 'paragraph', 'content': "Additionally, network monitoring for unexpected outbound POST requests from the admin's browser to unknown external servers (potential exfiltration endpoints) when the User Mapping dropdown is accessed may help detect exploitation."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Check the Anchorr version by querying the running instance or inspecting the deployed package version.'}, {'type': 'list_item', 'content': "Use browser developer tools or network monitoring tools (e.g., Wireshark, tcpdump) to detect suspicious network traffic originating from the admin's browser when interacting with the User Mapping dropdown."}, {'type': 'list_item', 'content': 'Audit Discord guild member display names for suspicious HTML or JavaScript content.'}] [1]

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade Anchorr to version 1.4.2 or later, which contains patches addressing the stored XSS vulnerabilities.

Version 1.4.2 includes multiple security improvements such as:

  • Refactoring the web dashboard to use safe DOM API methods instead of unsafe innerHTML interpolation, preventing XSS.
  • Validation of avatar URLs to ensure only safe URLs are used.
  • Sanitization of internationalization strings and configuration data to prevent script injection.
  • Masking sensitive configuration fields and preventing accidental credential exposure.
  • Addition of security response headers to enhance overall security posture.
  • Implementation of authentication rate limiting to mitigate brute-force attacks.

Until the update can be applied, restrict access to the Anchorr admin dashboard and monitor for suspicious Discord user activity in the guild.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart