CVE-2026-48116
Modified Modified - Updated After Analysis
Arbitrary Command Execution in AnythingLLM via ripgrep Pattern Injection

Publication date: 2026-05-28

Last updated on: 2026-05-30

Assigner: GitHub, Inc.

Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-30
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-48116
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mintplexlabs anythingllm to 1.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in AnythingLLM versions prior to 1.13.0 in the filesystem-search-files agent skill. This skill passes a pattern parameter controlled by the language model (LLM) directly to the ripgrep tool as a positional argument without using an end-of-options separator (--). Because ripgrep interprets any argument starting with a dash (-) as an option, an attacker can craft a pattern like "--pre=/bin/sh" which causes ripgrep to execute the /bin/sh shell for every file it processes. This allows an attacker who can interact with the agent on a deployment with the filesystem plugin enabled to execute arbitrary commands inside the AnythingLLM server container.

The vulnerability is fixed in version 1.13.0.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands inside the AnythingLLM server container if they can interact with the agent and the filesystem plugin is enabled. This can lead to full compromise of the server environment, including unauthorized access, data manipulation, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade AnythingLLM to version 1.13.0 or later, where the issue has been fixed.

Additionally, if you are running the official Docker image with the filesystem plugin enabled, consider disabling or restricting access to the filesystem-search-files agent skill and the filesystem-write-text-file skill to prevent attackers from exploiting this command execution vulnerability.

Compliance Impact

The vulnerability CVE-2026-48116 allows an attacker with agent access to execute arbitrary commands inside the AnythingLLM server container. This can lead to unauthorized access and potential compromise of sensitive data and services within the container.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized system access.

Detection Guidance

This vulnerability involves the filesystem-search-files agent skill passing an LLM-controlled pattern parameter to ripgrep without proper argument separation, allowing command injection. Detection involves checking if the AnythingLLM application version is prior to 1.13.0 and if the filesystem plugin is enabled.

To detect exploitation attempts or presence of this vulnerability, you can monitor for unusual ripgrep command executions with patterns starting with hyphens (e.g., "--pre=/bin/sh") or unexpected shell executions within the AnythingLLM server container.

Suggested commands to help detect potential exploitation attempts include:

  • Check the AnythingLLM version installed: `anythingllm --version` or check the Docker image tag.
  • Search for suspicious ripgrep processes with arguments starting with hyphens: `ps aux | grep rg` or `ps aux | grep ripgrep` and inspect the command line for patterns like "--pre=/bin/sh".
  • Monitor logs for filesystem-search-files agent skill usage or any commands invoking ripgrep with unusual parameters.
  • Audit files created or modified by the filesystem-write-text-file skill for unexpected scripts or commands.
  • Use container runtime security tools to detect shell executions or command injections inside the AnythingLLM server container.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48116. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart